1 files changed, 26 insertions, 4 deletions

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 58bf4c6..637480f 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,7 +1,7 @@
 class UsersController < ApplicationController
-	before_action :set_user, only: [:show, :edit, :update, :destroy]
 
 	# GET /users
+
 	# GET /users.json
 	def index
 		@users = User.all
@@ -25,13 +25,27 @@ class UsersController < ApplicationController
 	# POST /users.json
 	def create
 		@user = User.new(user_params)
+		unless (simple_captcha_valid?)
+			respond_to do |format|
+				format.html { render action: 'new', status: :unprocessable_entity }
+				format.json { render json: @user.errors, status: :unprocessable_entity }
+			end
+			return
+		end
 
+		@user.permissions = Server.first.default_user_permissions
 		respond_to do |format|
 			if @user.save
-				format.html { redirect_to @user, notice: 'User was successfully created.' }
+				sign_in @user
+				if @user.id == 1
+					# This is the first user, so give them all the power
+					@user.permissions = 0xFFFFFFFF
+					@user.save
+				end
+				format.html { redirect_to root_path, notice: 'User was successfully created.' }
 				format.json { render action: 'show', status: :created, location: @user }
 			else
-				format.html { render action: 'new' }
+				format.html { render action: 'new', status: :unprocessable_entity }
 				format.json { render json: @user.errors, status: :unprocessable_entity }
 			end
 		end
@@ -67,8 +81,16 @@ class UsersController < ApplicationController
 		@user = User.find(params[:id])
 	end
 
+	def is_owner?(object)
+		object == current_user
+	end
+
 	# Never trust parameters from the scary internet, only allow the white list through.
 	def user_params
-		params.require(:user).permit(:name, :email, :user_name)
+		permitted = [ :name, :email, :user_name, :password, :password_confirmation ]
+		if current_user.can? :edit_permissions
+			permitted.push(:abilities => User.permission_bits.keys)
+		end
+		params.require(:user).permit(permitted)
 	end
 end