From 4ceccc3c646aae5f10d897e4b473d87999dbd292 Mon Sep 17 00:00:00 2001
From: Giovanni Sakti <giosakti@gmail.com>
Date: Mon, 17 Dec 2018 06:09:03 +0700
Subject: [PATCH 1/4] only the user themselves can regenerate their token

---
 app/controllers/users_controller.rb | 26 +++++++++++++++++---------
 app/views/users/show.html.slim      | 25 +++++++++++++------------
 2 files changed, 30 insertions(+), 21 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 08d79d18..e83869f9 100755
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -92,15 +92,23 @@ def search
   # GET /users/:id/regenerate_token
   def regenerate_token
     @user = User.find(params[:id])
-    @access_token = @user.access_token
-    @access_token.token = ROTP::Base32.random_base32
-    respond_to do |format|
-      if @access_token.save
-        format.html { redirect_to user_path(@user.id), notice: 'Token regenerated.', flash: {token: @access_token.token} }
-        format.json { render :show, status: :ok, location: @user }
-      else
-        format.html { redirect_to user_path(@user.id), notice: 'Token failed to regenerate.' }
-        format.json { render json: @user.errors, status: :unprocessable_entity }
+
+    if (current_user.admin? or (current_user.id == @user.id))
+      @access_token = @user.access_token
+      @access_token.token = ROTP::Base32.random_base32
+      respond_to do |format|
+        if @access_token.save
+          format.html { redirect_to user_path(@user.id), notice: 'Token regenerated.', flash: {token: @access_token.token} }
+          format.json { render :show, status: :ok, location: @user }
+        else
+          format.html { redirect_to user_path(@user.id), notice: 'Token failed to regenerate.' }
+          format.json { render json: @user.errors, status: :unprocessable_entity }
+        end
+      end
+    else
+      respond_to do |format|
+        format.html { redirect_to user_path(@user.id), notice: 'You cannot regenerate this token.' }
+        format.json { render json: @user.errors, status: :unauthorized }
       end
     end
   end
diff --git a/app/views/users/show.html.slim b/app/views/users/show.html.slim
index f7430631..c3145b7b 100755
--- a/app/views/users/show.html.slim
+++ b/app/views/users/show.html.slim
@@ -16,18 +16,19 @@
              span.input-group-text @
           input#email.form-control placeholder="you@example.com" readonly="" type="email" value="#{@user.email}"
 
-  form.needs-validation novalidate="" 
-    .form-row.mb-3
-      .col
-        b Your Access Token
-      .col
-        - if flash[:token]
-          .alert.alert-warning role="alert"
-            | Important! please make note of this token, you will see it only this once.
-          pre
-            = flash[:token]
-        - else
-          = link_to 'Regenerate Token', regenerate_token_user_path(@user), :data => {:confirm => 'Are you sure?'}
+  - if (current_user.admin? or (current_user.id == @user.id))
+    form.needs-validation novalidate="" 
+      .form-row.mb-3
+        .col
+          b Your Access Token
+        .col
+          - if flash[:token]
+            .alert.alert-warning role="alert"
+              | Important! please make note of this token, you will see it only this once.
+            pre
+              = flash[:token]
+          - else
+            = link_to 'Regenerate Token', regenerate_token_user_path(@user), :data => {:confirm => 'Are you sure?'}
 
   - if current_user.admin?
     .card

From f011fae12a089c0dac027b3977330b02743c77fe Mon Sep 17 00:00:00 2001
From: Giovanni Sakti <giosakti@gmail.com>
Date: Mon, 17 Dec 2018 06:09:26 +0700
Subject: [PATCH 2/4] only the user themselves can update their public key

---
 app/views/users/show.html.slim | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/app/views/users/show.html.slim b/app/views/users/show.html.slim
index c3145b7b..0d977487 100755
--- a/app/views/users/show.html.slim
+++ b/app/views/users/show.html.slim
@@ -74,15 +74,21 @@
   br
   .card
     .card-body
-      h6.card-title Public Key
-      = form_tag user_public_key_update_path, method: :post do
-          .row
-            .col
-              = text_area_tag "public_key", @user.public_key, class: "form-contol text-align-top", style: "height:200px;width:100%;", placeholder: "Your public key here..."
-          br
-          .row
-            .col-md-3
-              = submit_tag "Update key", class: "form-control btn-md btn-primary"
+      - if (current_user.admin? or (current_user.id == @user.id))
+        h6.card-title Public Key
+        = form_tag user_public_key_update_path, method: :post do
+            .row
+              .col
+                = text_area_tag "public_key", @user.public_key, class: "form-contol text-align-top", style: "height:200px;width:100%;", placeholder: "Your public key here..."
+            br
+            .row
+              .col-md-3
+                = submit_tag "Update key", class: "form-control btn-md btn-primary"
+      - else
+        h6.card-title Public Key
+        .row
+          .col
+            = @user.public_key
 
   br
   .card

From aabe26384bf0d92f0938accf194e0b95db18f128 Mon Sep 17 00:00:00 2001
From: Giovanni Sakti <giosakti@gmail.com>
Date: Mon, 17 Dec 2018 06:10:54 +0700
Subject: [PATCH 3/4] only site-wide admin / super admin can manage group
 admins

---
 app/controllers/groups_controller.rb |  4 ++--
 app/views/groups/show.html.slim      | 25 +++++++++++++------------
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 7c61ba41..6286639b 100755
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -97,7 +97,7 @@ def add_machine
   end
 
   def add_admin
-    if current_user.admin? or @group.admin?(current_user)
+    if current_user.admin?
       GroupAdmin.find_or_create_by(group_id: @group.id, user_id: params[:user_id])
     end
 
@@ -109,7 +109,7 @@ def add_admin
   end
 
   def remove_admin
-    if current_user.admin? or  @group.admin?(current_user)
+    if current_user.admin?
       GroupAdmin.delete(params[:group_admin_id])
     end
 
diff --git a/app/views/groups/show.html.slim b/app/views/groups/show.html.slim
index e5d641ec..15ef0a56 100755
--- a/app/views/groups/show.html.slim
+++ b/app/views/groups/show.html.slim
@@ -19,18 +19,19 @@
                 .col
                   =  "#{admin.user.try(:name)}"
                 .col 
-                  - if (current_user.admin? or @group.admin?(current_user) ) and current_user.id != admin.user.try(:id)
-                    = link_to "Remove?", [@group, admin], method: :delete, data: {confirm: "Are you sure to remove #{admin.user.try(:name)} ?"} 
-          .row
-            .col
-              = text_field_tag "user_id", "", id: "assign_admin_user_id", class: "form-control"
-            .col
-              = submit_tag "Assign admin", class: "form-control btn btn-md btn-primary", disabled: true
-          .row
-            .col
-              = check_box_tag "assign_admin_include_inactive_user", "true", false
-              = " Include Inactive User"
-            .col
+                  - if (current_user.admin?)
+                    = link_to "Remove?", [@group, admin], method: :delete, data: {confirm: "Are you sure to remove #{admin.user.try(:name)} ?"}
+          - if (current_user.admin?)
+            .row
+              .col
+                = text_field_tag "user_id", "", id: "assign_admin_user_id", class: "form-control"
+              .col
+                = submit_tag "Assign admin", class: "form-control btn btn-md btn-primary", disabled: true
+            .row
+              .col
+                = check_box_tag "assign_admin_include_inactive_user", "true", false
+                = " Include Inactive User"
+              .col
   a name="group_members"
   br
   .card

From 85520f7b657d5985c33b07b9b3393a98431e4e9d Mon Sep 17 00:00:00 2001
From: Giovanni Sakti <giosakti@gmail.com>
Date: Mon, 17 Dec 2018 06:11:45 +0700
Subject: [PATCH 4/4] group admin can only see assign member button of groups
 that they administrate

---
 app/views/groups/show.html.slim | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/groups/show.html.slim b/app/views/groups/show.html.slim
index 15ef0a56..9876f5f1 100755
--- a/app/views/groups/show.html.slim
+++ b/app/views/groups/show.html.slim
@@ -60,7 +60,7 @@
       br
       = "*This group does not have any group members" if @group.users.count == 0
       br
-      - if current_user.admin? || current_user.group_admin?
+      - if current_user.admin or @group.admin?(current_user)
         = form_tag  add_user_to_group_path, method: :post do
           .row
             .col