Bugfixes: menu bar profile picture, persmissions, posessive pronouns

Author: timcowlishaw

app/controllers/ui/users_controller.rb

@@ -1,24 +1,25 @@
 module Ui
   class UsersController < ApplicationController
     include SharedControllerMethods
+    include UserHelper
 
     def index
       redirect_to current_user ? ui_user_path(current_user.username) : login_path
     end
 
     def show
       find_user!
-      @title = I18n.t(:show_user_title, username: @user.username)
+      @title = I18n.t(:show_user_title, owner: owner(true))
       add_breadcrumb(@title, ui_user_path(@user.username))
       render "show", layout: "base"
     end
 
     def secrets
       find_user!
-      return unless authorize_user!
-      @title = I18n.t(:secrets_user_title, username: @user.username)
+      return unless authorize_user! :show_secrets?, :secrets_user_forbidden
+      @title = I18n.t(:secrets_user_title, owner: owner)
       add_breadcrumbs(
-        [I18n.t(:show_user_title, username: @user.username), ui_user_path(@user.username)],
+        [I18n.t(:show_user_title, owner: owner(true)), ui_user_path(@user.username)],
         [@title, secrets_ui_user_path(@user.username)]
       )
     end
@@ -59,17 +60,17 @@ def create
 
     def edit
       find_user!
-      return unless authorize_user!
-      @title = I18n.t(:edit_user_title)
+      return unless authorize_user! :update?, :edit_user_forbiden
+      @title = I18n.t(:edit_user_title, owner: owner)
       add_breadcrumbs(
-        [I18n.t(:show_user_title, username: @user.username), ui_user_path(@user.username)],
+        [I18n.t(:show_user_title, owner: owner(true)), ui_user_path(@user.username)],
         [@title, edit_ui_user_path(@user.username)]
       )
     end
 
     def update
       find_user!
-      return unless authorize_user!
+      return unless authorize_user! :update?, :edit_user_forbiden
       if @user.update(params.require(:user).permit(
         :profile_picture,
         :username,
@@ -90,18 +91,18 @@ def update
 
     def delete
       find_user!
-      return unless authorize_user!
-      @title = I18n.t(:delete_user_title)
+      return unless authorize_user! :destroy?, :delete_user_forbidden
+      @title = I18n.t(:delete_user_title, owner: owner)
       add_breadcrumbs(
-        [I18n.t(:show_user_title, username: @user.username), ui_user_path(@user.username)],
-        [I18n.t(:edit_user_title, username: @user.username), edit_ui_user_path(@user.username)],
+        [I18n.t(:show_user_title, owner: owner(true)), ui_user_path(@user.username)],
+        [I18n.t(:edit_user_title, owner: owner), edit_ui_user_path(@user.username)],
         [@title, delete_ui_user_path(@user.username)]
       )
     end
 
     def destroy
       find_user!
-      return unless authorize_user!
+      return unless authorize_user! :destroy?, :delete_user_forbidden
       if @user.username != params[:username]
         flash[:alert] = I18n.t(:delete_user_wrong_username)
         redirect_to delete_ui_user_path(@user.username)
@@ -122,11 +123,15 @@ def find_user!
       @user = User.friendly.find(params[:id])
     end
 
-    def authorize_user!
-      return true if authorize? @user, :destroy?
-      flash[:alert] = I18n.t(:delete_user_forbidden)
+    def authorize_user!(action, alert)
+      return true if authorize? @user, action
+      flash[:alert] = I18n.t(alert)
       redirect_to current_user ? ui_user_path(@user) : login_path
       return false
     end
+
+    def owner(capitalize=false)
+      possessive(@user, current_user, capitalize: capitalize)
+    end
   end
 end

app/helpers/user_helper.rb

@@ -6,4 +6,15 @@ def profile_picture_url(user)
       ''
     end
   end
-end
+
+  def possessive(user, current_user, params={})
+    first_person = params[:first_person]
+    capitalize = params[:capitalize]
+    if current_user && current_user == user
+      pronoun = t(first_person ? :first_person_possessive : :second_person_possessive)
+      capitalize ? pronoun.capitalize : pronoun
+    else
+      t :third_person_possessive, username: user.username
+    end
+  end
+end

app/policies/user_policy.rb

@@ -25,6 +25,6 @@ def update_password?
   end
 
   def show_secrets?
-    user == record
+    user.try(:is_admin?) || user == record
   end
 end

app/views/layouts/_nav.html.erb

@@ -36,7 +36,7 @@
             <a class="nav-link ms-md-2" title="<%= t :profile_pic_alt_text %>" href="<%= ui_user_path(current_user.username) %>">
               <div class="circular-image-crop navbar-profile-image">
                 <%= image_tag(
-                  @user.profile_picture.present? ? @user.profile_picture : "default_avatar.svg",
+                  current_user.profile_picture.present? ? current_user.profile_picture : "default_avatar.svg",
                   alt: t(:profile_pic_alt_text),
                   class: "w-100"
                 ) %>

app/views/ui/users/delete.html.erb

@@ -1,8 +1,8 @@
 <%= bootstrap_form_tag url: ui_user_path(@user.id), method: :delete do |f| %>
   <%= f.hidden_field :token, value: @token %>
   <p><%= t(:delete_user_warning_html, username: current_user.username) %></p>
-  <%= f.text_field :username, label: t(:delete_user_username_label)  %>
+  <%= f.text_field :username, label: t(:delete_user_username_label, owner: possessive(@user, current_user))  %>
   <div class="mt-4">
-    <%= f.primary t(:delete_user_submit), class: "btn btn-danger w-100 w-md-auto" %>
+    <%= f.primary t(:delete_user_submit, owner: possessive(@user, current_user, first_person: true)), class: "btn btn-danger w-100 w-md-auto" %>
   </div>
 <% end %>

app/views/ui/users/edit.html.erb

@@ -18,6 +18,8 @@
   <div class="mt-5">
     <%= f.primary t(:edit_user_submit), class: "btn btn-primary w-100 w-md-auto" %>
   </div>
-  <h2 class="mt-5 mb-3"><%= t(:edit_user_other_actions_subhead) %></h2>
-  <div><%= link_to t(:edit_user_delete_account_submit), delete_ui_user_path(@user.username), class: "btn btn-danger w-100 w-md-auto" %></div>
+  <% if authorize? @user, :destroy? %>
+    <h2 class="mt-5 mb-3"><%= t(:edit_user_other_actions_subhead) %></h2>
+    <div><%= link_to t(:edit_user_delete_account_submit, owner: possessive(@user, current_user)), delete_ui_user_path(@user.username), class: "btn btn-danger w-100 w-md-auto" %></div>
+  <%  end %>
 <% end %>

app/views/ui/users/secrets.html.erb

@@ -7,7 +7,7 @@
 
 <% if @user.forward_device_readings? %>
   <div class="mt-5">
-    <h1 class="mb-4"><%= t :secrets_user_forwarding_heading %></h1>
+    <h1 class="mb-4"><%= t :secrets_user_forwarding_heading, owner: possessive(@user, current_user) %></h1>
     <p><%= t :secrets_user_forwarding_blurb_html %></p>
     <%= render partial: "ui/shared/copyable_input", locals: {
       name: t(:secrets_user_forwarding_token_label),

app/views/ui/users/show.html.erb

@@ -33,12 +33,12 @@
         <div class="actions mt-3">
             <p class="mb-0">
               <% if authorize? @user, :update? %>
-                <%= link_to(t(:show_user_edit_cta), edit_ui_user_path(@user), class: "btn btn-dark me-md-2 w-100 w-md-auto") %>
+                <%= link_to(t(:show_user_edit_cta, owner: possessive(@user, current_user)), edit_ui_user_path(@user), class: "btn btn-dark me-md-2 w-100 w-md-auto") %>
               <% end %>
               <% if authorize? @user, :show_secrets? %>
-                <%= link_to(t(:show_user_secrets_cta), secrets_ui_user_path(@user), class: "btn btn-dark me-md-2 mt-3 mt-md-0 w-100 w-md-auto") %>
+                <%= link_to(t(:show_user_secrets_cta, owner: possessive(@user, current_user)), secrets_ui_user_path(@user), class: "btn btn-dark me-md-2 mt-3 mt-md-0 w-100 w-md-auto") %>
               <% end %>
-              <% if @user %>
+              <% if current_user == @user %>
                 <%= link_to(t(:show_user_log_out_cta), logout_path, class: "btn btn-dark mt-3 mt-lg-0 w-100 w-md-auto") %>
               <% end %>
             </p>

config/locales/controllers/en.yml

@@ -9,16 +9,17 @@ en:
     password_reset_success: "Changed password for: %{username}."
     password_reset_invalid: "Your reset code might be too old or have been used before."
     destroy_session_success: "Logged out!"
-    show_user_title: "%{username}'s profile"
-    secrets_user_title: "Your API keys"
+    show_user_title: "%{owner} profile"
+    secrets_user_title: "%{owner} API keys"
+    secrets_user_forbidden: "You are not allowed to see API keys for that user account!"
     new_user_title: "Sign up"
     new_user_success: "Thanks for signing up! You are now logged in."
     new_user_failure: "Some errors prevented us from creating your account. Please check below and try again!"
-    edit_user_title: "Edit your profile"
+    edit_user_title: "Edit %{owner} profile"
     edit_user_forbidden: "You are not allowed to edit that user account!"
     update_user_success: "Your profile has been updated!"
     update_user_failure: "Some errors prevented us from updating your profile. Please check below and try again!"
-    delete_user_title: "Delete your account"
+    delete_user_title: "Delete %{owner} account"
     post_delete_user_title: "We are sorry to see you go!"
     delete_user_forbidden: "You are not allowed to delete that user account!"
     delete_user_wrong_username: "That username did not match! Please try again."

config/locales/helpers/user/en.yml

@@ -0,0 +1,4 @@
+en:
+  second_person_possessive: "your"
+  third_person_possessive: "%{username}'s"
+  first_person_possessive: "my"