7 files changed, 112 insertions, 76 deletions

diff --git a/app/controllers/alerts_controller.rb b/app/controllers/alerts_controller.rb
index 873e9b7..ac11854 100644
--- a/app/controllers/alerts_controller.rb
+++ b/app/controllers/alerts_controller.rb
@@ -1,5 +1,6 @@
 class AlertsController < ApplicationController
   before_action :set_alert, only: [:show, :edit, :update, :destroy]
+  before_action :check_perms, only: [:new, :create, :edit, :update, :destroy]
 
   # GET /alerts
   # GET /alerts.json
@@ -67,6 +68,15 @@ class AlertsController < ApplicationController
       @alert = Alert.find(params[:id])
     end
 
+	def check_perms
+		unless (signed_in? and (current_user.in_group?(:admin) or current_user.in_group?(:host)))
+			respond_to do |format|
+				format.html { render action: 'permission_denied', status: :forbidden }
+				format.json { render json: "Permission denied", status: :forbidden }
+			end
+		end
+	end
+
     # Never trust parameters from the scary internet, only allow the white list through.
     def alert_params
       params.require(:alert).permit(:author_id, :message)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index d83690e..7487f87 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,4 +2,7 @@ class ApplicationController < ActionController::Base
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception
+	
+	#include sessionhelper for the session controller and view
+	include SessionsHelper
 end
diff --git a/app/controllers/servers_controller.rb b/app/controllers/servers_controller.rb
index 7d54eb6..bb5d5f7 100644
--- a/app/controllers/servers_controller.rb
+++ b/app/controllers/servers_controller.rb
@@ -1,5 +1,6 @@
 class ServersController < ApplicationController
   before_action :set_server, only: [:show, :edit, :update, :destroy]
+  before_action :check_perms
 
   # GET /servers
   # GET /servers.json
@@ -67,6 +68,15 @@ class ServersController < ApplicationController
       @server = Server.find(params[:id])
     end
 
+	def check_perms
+		unless (signed_in? and current_user.in_group?(:admin))
+			respond_to do |format|
+				format.html { render action: 'permission_denied', status: :forbidden }
+				format.json { render json: "Permission denied", status: :forbidden }
+			end
+		end
+	end
+
     # Never trust parameters from the scary internet, only allow the white list through.
     def server_params
       params[:server]
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 2f72bf7..b5ea29b 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,74 +1,51 @@
 class SessionsController < ApplicationController
-  before_action :set_session, only: [:show, :edit, :update, :destroy]
-
-  # GET /sessions
-  # GET /sessions.json
-  def index
-    @sessions = Session.all
-  end
-
-  # GET /sessions/1
-  # GET /sessions/1.json
-  def show
-  end
-
-  # GET /sessions/new
-  def new
-    @session = Session.new
-  end
-
-  # GET /sessions/1/edit
-  def edit
-  end
-
-  # POST /sessions
-  # POST /sessions.json
-  def create
-    @session = Session.new(session_params)
-
-    respond_to do |format|
-      if @session.save
-        format.html { redirect_to @session, notice: 'Session was successfully created.' }
-        format.json { render action: 'show', status: :created, location: @session }
-      else
-        format.html { render action: 'new' }
-        format.json { render json: @session.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # PATCH/PUT /sessions/1
-  # PATCH/PUT /sessions/1.json
-  def update
-    respond_to do |format|
-      if @session.update(session_params)
-        format.html { redirect_to @session, notice: 'Session was successfully updated.' }
-        format.json { head :no_content }
-      else
-        format.html { render action: 'edit' }
-        format.json { render json: @session.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # DELETE /sessions/1
-  # DELETE /sessions/1.json
-  def destroy
-    @session.destroy
-    respond_to do |format|
-      format.html { redirect_to sessions_url }
-      format.json { head :no_content }
-    end
-  end
-
-  private
-    # Use callbacks to share common setup or constraints between actions.
-    def set_session
-      @session = Session.find(params[:id])
-    end
-
-    # Never trust parameters from the scary internet, only allow the white list through.
-    def session_params
-      params.require(:session).permit(:user_id)
-    end
+	before_action :set_session, only: [:destroy]
+
+	# GET /sessions/new
+	def new
+		@user = User.new
+		#@session = Session.new
+	end
+	
+	# POST /sessions
+	# POST /sessions.json
+	def create
+		# find the user...
+		@user = User.find_by(email: params[:session][:email].downcase)
+		#@session = Session.new(@user)
+		# ... and create a new session
+		respond_to do |format|
+			if @user && @user.authenticate(params[:session][:password])
+				sign_in @user
+				format.html { redirect_to root_path }
+				#format.json { #TODO }
+			else
+				format.html { render action: 'new' }
+				format.json { render json: @user.errors, status: :unprocessable_entity }
+			end
+		end
+	end
+
+	# DELETE /sessions/1
+	# DELETE /sessions/1.json
+	def destroy
+		#@session.destroy
+		sign_out
+		respond_to do |format|
+			format.html { redirect_to root_path }
+			format.json { head :no_content }
+		end
+	end
+
+	private
+
+	# Use callbacks to share common setup or constraints between actions.
+	def set_session
+		#@session = Session.find(cookies[:remember_token])
+	end
+
+	# Never trust parameters from the scary internet, only allow the white list through.
+	def session_params
+		params.require(:session).permit(:session_email, :session_password)
+	end
 end
diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
index c6df11e..6fc9490 100644
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@@ -1,2 +1,4 @@
 class StaticController < ApplicationController
+	def homepage
+	end
 end
diff --git a/app/controllers/tournaments_controller.rb b/app/controllers/tournaments_controller.rb
index 720305f..915c072 100644
--- a/app/controllers/tournaments_controller.rb
+++ b/app/controllers/tournaments_controller.rb
@@ -1,5 +1,6 @@
 class TournamentsController < ApplicationController
   before_action :set_tournament, only: [:show, :edit, :update, :destroy]
+  before_action :check_perms, only: [:new, :create, :edit, :update, :destroy]
 
   # GET /tournaments
   # GET /tournaments.json
@@ -14,6 +15,8 @@ class TournamentsController < ApplicationController
 
   # GET /tournaments/new
   def new
+    @games = Game.all
+    @game = Game.find_by_id(params[:game])
     @tournament = Tournament.new
   end
 
@@ -67,8 +70,17 @@ class TournamentsController < ApplicationController
       @tournament = Tournament.find(params[:id])
     end
 
+	def check_perms
+		unless (signed_in? and current_user.in_group?(:host))
+			respond_to do |format|
+				format.html { render action: 'permission_denied', status: :forbidden }
+				format.json { render json: "Permission denied", status: :forbidden }
+			end
+		end
+	end
+
     # Never trust parameters from the scary internet, only allow the white list through.
     def tournament_params
-      params.require(:tournament).permit(:game_id)
+      params.require(:tournament).permit(:game_id, :game)
     end
 end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index b18efed..907958b 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,5 +1,7 @@
 class UsersController < ApplicationController
   before_action :set_user, only: [:show, :edit, :update, :destroy]
+  before_action :perms_edit, only: [:edit, :update, :destroy]
+  before_action :perms_create, only: [:new, :create]
 
   # GET /users
   # GET /users.json
@@ -10,6 +12,7 @@ class UsersController < ApplicationController
   # GET /users/1
   # GET /users/1.json
   def show
+    @user = User.find(params[:id])
   end
 
   # GET /users/new
@@ -28,10 +31,11 @@ class UsersController < ApplicationController
 
     respond_to do |format|
       if @user.save
-        format.html { redirect_to @user, notice: 'User was successfully created.' }
+        sign_in @user
+        format.html { redirect_to root_path, notice: 'User was successfully created.' }
         format.json { render action: 'show', status: :created, location: @user }
       else
-        format.html { render action: 'new' }
+        format.html { render action: 'new', status: :unprocessable_entity }
         format.json { render json: @user.errors, status: :unprocessable_entity }
       end
     end
@@ -67,8 +71,26 @@ class UsersController < ApplicationController
       @user = User.find(params[:id])
     end
 
+    def perms_edit
+      unless (current_user == @user) or (signed_in? and current_user.in_group? :admin)
+        respond_to do |format|
+          format.html { render action: 'permission_denied', status: :forbidden }
+          format.json { render json: "Permission denied", status: :forbidden }
+        end
+      end
+    end
+
+    def perms_create
+      if signed_in?
+        respond_to do |format|
+          format.html { render action: 'already_signed_in', status: :unprocessable_entity }
+          format.json { render json: "Already signed in", status: :unprocessable_entity }
+        end
+      end
+    end
+
     # Never trust parameters from the scary internet, only allow the white list through.
     def user_params
-      params.require(:user).permit(:name, :email, :user_name)
+      params.require(:user).permit(:name, :email, :user_name, :password, :password_confirmation)
     end
 end