1 files changed, 25 insertions, 3 deletions

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index b18efed..907958b 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,5 +1,7 @@
 class UsersController < ApplicationController
   before_action :set_user, only: [:show, :edit, :update, :destroy]
+  before_action :perms_edit, only: [:edit, :update, :destroy]
+  before_action :perms_create, only: [:new, :create]
 
   # GET /users
   # GET /users.json
@@ -10,6 +12,7 @@ class UsersController < ApplicationController
   # GET /users/1
   # GET /users/1.json
   def show
+    @user = User.find(params[:id])
   end
 
   # GET /users/new
@@ -28,10 +31,11 @@ class UsersController < ApplicationController
 
     respond_to do |format|
       if @user.save
-        format.html { redirect_to @user, notice: 'User was successfully created.' }
+        sign_in @user
+        format.html { redirect_to root_path, notice: 'User was successfully created.' }
         format.json { render action: 'show', status: :created, location: @user }
       else
-        format.html { render action: 'new' }
+        format.html { render action: 'new', status: :unprocessable_entity }
         format.json { render json: @user.errors, status: :unprocessable_entity }
       end
     end
@@ -67,8 +71,26 @@ class UsersController < ApplicationController
       @user = User.find(params[:id])
     end
 
+    def perms_edit
+      unless (current_user == @user) or (signed_in? and current_user.in_group? :admin)
+        respond_to do |format|
+          format.html { render action: 'permission_denied', status: :forbidden }
+          format.json { render json: "Permission denied", status: :forbidden }
+        end
+      end
+    end
+
+    def perms_create
+      if signed_in?
+        respond_to do |format|
+          format.html { render action: 'already_signed_in', status: :unprocessable_entity }
+          format.json { render json: "Already signed in", status: :unprocessable_entity }
+        end
+      end
+    end
+
     # Never trust parameters from the scary internet, only allow the white list through.
     def user_params
-      params.require(:user).permit(:name, :email, :user_name)
+      params.require(:user).permit(:name, :email, :user_name, :password, :password_confirmation)
     end
 end