8

02070743.00569-01 12 01

#-------------------------------------------------------------------------------------application_controller.rb

class ApplicationController < ActionController::Base

# *Security Reminder: All actions listed here are still subject to authentication in the various

# controllers, so the user still has to be logged in to perform the particular action.

# These actions below should be secure.

# Pick а unique cookie name to distinguish our session data from others'

session :session_key => '_mystic_session_id'

#Global User Methods

def change_password

if request.post?

@user = session[:user]

if params[:user][:password].blank?#password is empty

flash[:message]= "<font color=red><image src=\"/images/icon_failure.png\"> Password cannot be blank!</font><br>"

redirect_to :controller => params[:controller] :action => 'edit_account'

else #password is filled

if params[:user][:password]!= params[:user][:password_confirmation] #password doesn't match!

flash[:message]= "<font color=red><image src=\"/images/icon_failure.png\"> Passwords do not match!</font><br>"

redirect_to :controller => params[:controller] :action => 'edit_account'

else#passwords match

@user.update_attributes(:password => params[:user][:password] :password_confirmation =>params[:user][:password_confirmation])

if @user.save

flash[:message]= "<font color=green><image src=\"/images/icon_success.png\"> Password changed successfully</font><br>"

redirect_to :controller => params[:controller] :action => 'edit_account'

end

end

end

end

end

def logout

session[:user]= nil

reset_session

flash[:message]= "<font color=green><image src=\"/images/icon_info.png\"> You have been logged out! Have а nice day.</font><br>"

redirect_to :controller => params[:controller] :action => "index" #redirect them to the controller they came from

end

def update_account

if request.post?

@user = User.find(session[:user][:id])

97

flash[:message]= ""

9

02070743.00569-01 12 01

if(@user.update_attribute(:first_name, params[:user][:first_name]))

flash[:message] << "<font color=green><image src=\"/images/icon_success.png\"> Your first name was updated successfully!</font><br>"

end

if(@user.update_attribute(:last_name, params[:user][:last_name]))

flash[:message] << "<font color=green><image src=\"/images/icon_success.png\"> Your last name was updated successfully!</font><br>"

end

if(@user.update_attribute(:phone_number, params[:user][:phone_number]))

flash[:message] << "<font color=green><image src=\"/images/icon_success.png\"> Your phone number was updated successfully!</font><br>"

end

redirect_to :controller => params[:controller] :action => "edit_account"

end

end

end

#------------------------------------------------------------------------------------------admin_controller.rb

class AdminController < ApplicationController

before_filter :authenticate_user, :except => [:index :login, :create_new_user] #make sure the user is supposed to be here

def add_user

end

def ajax_post_box

render :layout => false

end

def ajax_edit_user

render :layout => false

end

def authenticate

#don't delete this action

end

def authenticate_user

if session[:user].nil? #There's definitely no user logged in

flash[:message]= "<font color=red><image src=\"/images/icon_failure.png\">You are not logged in or an admin!</font><br>"

redirect_to :action => "index"

else #there's а user logged in, but what type is he?

@user = User.find(session[:user][:id]) # make sure user is in db, make sure they're not spoofing а session id

if(@user.type_id == 0) #make sure user is an admin(0=admin)

98

#Do nothing, render controller