Merge pull request #1187 from YaleSTC/1185_fix_banned_users_v34

[v3.4] #1185 Fix Banned Users

Author: orenyk

CHANGELOG.md

@@ -5,6 +5,11 @@ Changelog
 * This file will be updated whenever a new release is put into production.
 * Any problems should be reported via the "report an issue" link in the footer of the application.
 
+### v3.4.9
+*Released on 16 March 2015*
+#### Bug Fixes
+* Banned users can no longer have reservations created for them or equipment checked out to them ([#1185](https://github.com/YaleSTC/reservations/issues/1185)).
+
 ### v3.4.8
 *Released on 26 October 2014*
 #### Bug Fixes

app/controllers/reservations_controller.rb

@@ -13,6 +13,8 @@ class ReservationsController < ApplicationController
 
   def set_user
     @user = User.find(params[:user_id])
+    return unless @user.role == 'banned'
+    flash[:error] = 'This user is banned and cannot check out equipment.'
   end
 
   def set_reservation
@@ -53,7 +55,10 @@ def new
       # error handling
       @errors = cart.validate_all
       unless @errors.empty?
-        if can? :override, :reservation_errors
+        if @errors[0].include?('banned')
+          flash[:error] = 'Reservations cannot be created for banned users.'
+          redirect_to root_path
+        elsif can? :override, :reservation_errors
           flash[:error] = 'Are you sure you want to continue? Please review the errors below.'
         else
           flash[:error] = 'Please review the errors below. If uncorrected, any reservations with errors will be filed as a request, and subject to administrator approval.'
@@ -75,7 +80,7 @@ def create
     notes = params[:reservation][:notes]
     requested = !@errors.empty? && (cannot? :override, :reservation_errors)
 
-    if !@errors.blank? && notes.blank?
+    if !@errors.blank? && notes.blank? && !@errors[0].include?('banned')
       # there were errors but they didn't fill out the notes
       flash[:error] = "Please give a short justification for this reservation #{requested ? 'request' : 'override'}"
       @notes_required = true
@@ -159,7 +164,11 @@ def checkout
     params[:reservations].each do |reservation_id, reservation_hash|
       if reservation_hash[:equipment_object_id].present?
         # update attributes for all equipment that is checked off
-        r = Reservation.find(reservation_id)
+        r = Reservation.includes(:reserver).find(reservation_id)
+        if r.reserver.role == 'banned'
+          flash[:error] = 'Banned users cannot check out equipment.'
+          redirect_to(root_path) && return
+        end
         r.checkout_handler = current_user
         r.checked_out = Time.now
         r.equipment_object_id = reservation_hash[:equipment_object_id]
@@ -308,13 +317,15 @@ def upcoming
   end
 
   def manage # initializer
+    redirect_to(root_path) && return unless flash[:error].nil?
     @check_out_set = @user.due_for_checkout
     @check_in_set = @user.due_for_checkin
 
     render :manage, layout: 'application'
   end
 
   def current
+    redirect_to(root_path) && return unless flash[:error].nil?
     @user_overdue_reservations_set = [Reservation.overdue.for_reserver(@user)].delete_if{|a| a.empty?}
     @user_checked_out_today_reservations_set = [Reservation.checked_out_today.for_reserver(@user)].delete_if{|a| a.empty?}
     @user_checked_out_previous_reservations_set = [Reservation.checked_out_previous.for_reserver(@user)].delete_if{|a| a.empty?}

app/controllers/users_controller.rb

@@ -29,6 +29,9 @@ def index
   end
 
   def show
+    if @user.role == 'banned' && @user.id != current_user.id
+      flash[:error] = 'Please note that this user is banned.'
+    end
     @user_reservations = @user.reservations
     @all_equipment = Reservation.active.for_reserver(@user)
     @show_equipment = { checked_out:  @user.reservations.checked_out,

app/models/cart_validations.rb

@@ -11,6 +11,7 @@ def validate_all(renew = false)
     # if passed with true argument doesn't run validations that should be
     # skipped when validating renewals
     errors = []
+    errors += check_banned
     errors += check_start_date_blackout
     errors += check_due_date_blackout
     errors += check_overdue_reservations unless renew
@@ -30,6 +31,16 @@ def validate_all(renew = false)
     return errors.uniq.reject{ |a| a.blank? }
   end
 
+  def check_banned
+    errors = []
+    reserver = User.find_by_id(reserver_id)
+    if reserver && reserver.role == 'banned'
+      errors << 'The reserver is banned and cannot reserve additional '\
+        'equipment.'
+    end
+    errors
+  end
+
   def check_start_date_blackout
     # check that the start date is not on a blackout date
     # 1 query
@@ -187,5 +198,4 @@ def check_requirements(items = self.get_items)
     end
     return ["#{user.name} is missing the following certifications: #{unfulfilled_req_text.to_sentence}"]
   end
-
 end

app/models/reservation.rb

@@ -13,7 +13,7 @@ class Reservation < ActiveRecord::Base
   validates :equipment_model, :start_date, :due_date, presence: true
   validate :start_date_before_due_date
   validate :matched_object_and_model
-  validate :not_in_past, :available, on: :create
+  validate :not_in_past, :available, :check_banned, on: :create
 
   nilify_blanks only: [:notes]
 
@@ -136,6 +136,9 @@ def is_eligible_for_renew?
     # determines if a reservation is eligible for renewal, based on how many days before the due
     # date it is and the max number of times one is allowed to renew
     #
+
+    return false if reserver.role == 'banned'
+
     self.times_renewed ||= 0
 
     # you can't renew a checked in reservation, or one without an equipment model

app/models/reservation_validations.rb

@@ -39,8 +39,12 @@ def available
   # Does not run on checked out, checked in, overdue, or missed Reservations
   def not_in_past
     if due_date < Date.today || start_date < Date.today
-      errors.add(:base, "Cannot create reservation in the past\n")
+      errors.add(:base, "Cannot create reservation in the past.\n")
     end
   end
 
+  def check_banned
+    return unless reserver.role == 'banned'
+    errors.add(:base, "Reserver cannot be banned.\n")
+  end
 end