Fix bugs: Phan trang, show errors, SQL Injection, review code...

app/controllers/admin/products_controller.rb

 class Admin::ProductsController < ApplicationController
   before_action :find_product, only: [:destroy, :edit,:update]
+  before_action :get_categories, only: [:edit,:update, :new,:create]
   before_action :authenticate_admin!
+  before_action :check_page, only: [:index]
 
   def index
     @products = Product.paginate(page: params[:page]).per_page(50)
@@ -18,11 +20,6 @@ class Admin::ProductsController < ApplicationController
 
   def new
     @product = Product.new
-    @categories = Category.all
-  end
-
-  def edit
-    @categories = Category.all
   end
 
   def create
@@ -31,8 +28,7 @@ class Admin::ProductsController < ApplicationController
       flash[:success] = "Create product : Success"
       redirect_to admin_products_path
     else
-      flash[:danger] = "Error: New product"
-      redirect_to new_admin_product_path
+      render :new
     end
   end
 
@@ -41,8 +37,7 @@ class Admin::ProductsController < ApplicationController
       flash[:success] = "Update product : Success"
       redirect_to admin_products_path
     else
-      flash[:danger] = "Error: Update product"
-      redirect_to edit_admin_product_path(id: params[:id])
+      render :edit
     end
   end
 
@@ -55,4 +50,8 @@ class Admin::ProductsController < ApplicationController
   def product_params
     params.require(:product).permit(:category_id, :name, :price, :image, :description)
   end
+
+  def get_categories
+    @categories = Category.all
+  end
 end

app/controllers/admin/users_controller.rb

 class Admin::UsersController < ApplicationController
   before_action :authenticate_admin!
+  before_action :check_page, only: [:index]
 
   def index
     @users = User.paginate(page: params[:page]).per_page(21)

app/controllers/application_controller.rb

@@ -28,4 +28,17 @@ class ApplicationController < ActionController::Base
     devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:login, :username, :email, :password, :remember_me) }
     devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:username, :email, :password, :password_confirmation, :current_password) }
   end
+
+  def check_page
+    if (params[:page].to_i <= 0)
+      params[:page] = 1
+    end
+    if is_number?(params[:page]) == false
+      params[:page] = 1
+    end
+  end
+
+  def is_number? string
+    true if Float(string) rescue false
+  end
 end

app/controllers/cart_products_controller.rb

 class CartProductsController < ApplicationController
-  before_action :set_cart, only: [:create]
+  before_action :set_cart, only: [:create, :update]
   before_action :check_quantity?, only: [:create]
 
   def create
@@ -9,11 +9,22 @@ class CartProductsController < ApplicationController
       redirect_to cart_path(id: @user_id)
       flash[:success] = 'Products add to cart'
     else
-      redirect_to cart_path(id: @user_id)
-        flash[:success] = 'Errors: Quantity'
+      redirect_to products_path
+      flash[:danger] = 'Errors: Quantity'
     end
   end
 
+  def update
+    product = Product.find(params[:product_id])
+    if check_quantity?
+      update_product_to_cart(product.id.to_i, params[:quantity].to_i )
+      redirect_to cart_path(id: @user_id)
+      flash[:success] = 'Update successful'
+    else
+      redirect_to cart_path(id: @user_id)
+      flash[:danger] = 'Errors: Quantity'
+    end
+  end
 
   def destroy
     session[params[:id]].delete(params[:product_id])
@@ -25,15 +36,24 @@ class CartProductsController < ApplicationController
   def add_product_to_cart(product_id, number)
     number ||= 1
     i = 0
-    @session[@user_id].each do |key, value|
+    session[@user_id].each do |key, value|
       if (key == product_id.to_s)
-       @session[@user_id][key] = number +value
+       session[@user_id][key] = number +value
        i = 1
        break
      end
     end
     if (i == 0)
-      @session[@user_id][product_id] = number
+      session[@user_id][product_id] = number
+    end
+  end
+
+  def update_product_to_cart(product_id, number)
+    session[@user_id].each do |key, value|
+      if (key == product_id.to_s)
+       session[@user_id][key] = number
+       break
+     end
     end
   end
 

app/controllers/carts_controller.rb

 class CartsController < ApplicationController
-
   def new
     @cart = Cart.new
   end
@@ -24,8 +23,7 @@ class CartsController < ApplicationController
       flash[:success] = "Email to send"
       redirect_to products_path
     else
-      flash[:danger] = "Error: Create carts"
-      redirect_to :back
+      render :new
     end
   end
 

app/controllers/categories_controller.rb

 class CategoriesController < ApplicationController
-
+   before_action :find_category, only: [:show]
+   before_action :check_page, only: [:show]
   def index
     @categories = Category.all
   end
 
   def show
     @categories = Category.all
-    @category = Category.find(params[:id])
     @current_category = @category.id
     @products = @category.products.paginate(page: params[:page]).per_page(15)
   end
+  private
+
+  def find_category
+    if params[:id].to_i > (Category.count + 1)
+      redirect_to error_path
+    else
+      @category = Category.find(params[:id])
+    end
+  end
 
 end

app/controllers/products_controller.rb

 class ProductsController < ApplicationController
   before_action :find_product, only: [:show]
+  before_action :check_page, only: [:index]
 
   def index
     @products = Product.paginate(page: params[:page]).per_page(21)
@@ -13,7 +14,11 @@ class ProductsController < ApplicationController
   private
 
   def find_product
+    if params[:id].to_i > (Product.count + 1)
+      redirect_to error_path
+    else
       @product = Product.find(params[:id])
     end
+  end
 
 end

app/controllers/search_controller.rb

 class SearchController < ApplicationController
+  before_action :check_page, only: [:search]
 
   def search
     if params[:keyword].nil?

app/controllers/shopping_history_controller.rb

 class ShoppingHistoryController < ApplicationController
-
+  before_action :authenticate_user!
   def index
     @user = User.find(current_user.id)
     @carts_to_user = Cart.where(user_id: @user.id)

app/models/product.rb

@@ -18,7 +18,7 @@ class Product < ActiveRecord::Base
 
 
   def self.search(keyword)
-    Product.where("name like '%?%'", keyword)
+    Product.where("name like ?", "%#{keyword}%" )
   end
 
   private

app/views/admin/carts/_show_to_buyers.html.erb

@@ -45,14 +45,12 @@
     </tr>
     <tr>
       <td>Status: </td>
-      <td colspan="3"><%= cart.status %></td>
-    </tr>
-    <tr>
-      <% if cart.status != "Finish" %>
-        <td colspan="4" style="text-align:right"><%= button_to 'Next',admin_cart_path(id: cart.id, user_id: "buyers"), method: :put , class: "btn btn-primary" %></td>
+      <td colspan="2"><%= cart.status %></td>
+      <td><% if cart.status != "Finish" %>
+        <%= button_to 'Next',admin_cart_path(id: cart.id, user_id: "buyers"), method: :put , class: "btn btn-primary" %>
       <% else %>
-        <td colspan="4" style="text-align:right"><%= link_to 'Finished',"#" , class: "btn btn-danger" %></td>
-      <% end %>
+        <%= link_to 'Finished',"#" , class: "btn btn-danger" %>
+      <% end %></td>
     </tr>
   <% end %>
   <tr>

app/views/admin/carts/_show_to_user_id.html.erb

@@ -45,14 +45,14 @@
     </tr>
     <tr>
       <td>Status: </td>
-      <td colspan="3"><%= cart_to_user.status %></td>
-    </tr>
-    <tr>
+      <td colspan="2"><%= cart_to_user.status %></td>
+      <td>
         <% if cart_to_user.status != "Finish" %>
-        <td colspan="4" style="text-align:right"><%= button_to 'Next',admin_cart_path(id: cart_to_user.id, user_id: @user.id), method: :put , class: "btn btn-primary" %></td>
+          <%= button_to 'Next',admin_cart_path(id: cart_to_user.id, user_id: @user.id), method: :put , class: "btn btn-primary" %>
         <% else %>
-        <td colspan="4" style="text-align:right"><%= link_to 'Finished',"#" , class: "btn btn-danger" %></td>
+          <%= link_to 'Finished',"#" , class: "btn btn-danger" %>
         <% end %>
+      </td>
     </tr>
   <% end %>
   <tr>

app/views/carts/new.html.erb

 <% provide(:title, "Order") %>
 <div class="row">
+  <% if @cart.errors.any? %>
+  <div id="error_explanation">
+    <div class="alert alert-danger">
+      The form contains <%= pluralize(@cart.errors.count, "error") %>.
+    </div>
+    <ul>
+    <% @cart.errors.full_messages.each do |msg| %>
+      <li><%= msg %></li>
+    <% end %>
+    </ul>
+  </div>
+<% end %>
   <div class="col-md-6 col-md-offset-3">
   <h1>Đăng ký thông tin nhận hàng</h1>
     <%= form_for @cart do |f| %>

app/views/carts/show.html.erb

@@ -7,6 +7,7 @@
         <th>Product name</th>
         <th>Price</th>
         <th>Quantity</th>
+        <th>Update</th>
         <th>Total price</th>
         <th>Delete</th>
       </tr>
@@ -17,7 +18,11 @@
         <tr>
           <td><%= Product.find(key).name %>
           <td><%= number_to_currency(Product.find(key).price/100.00) %></td>
-          <td><%= value %></td>
+          <%= form_tag cart_product_path, method: :PATCH do %>
+            <%= hidden_field_tag :product_id, key %>
+            <td><%= number_field_tag :quantity, "#{value}", class: 'form-control', :style => "width: 70px"%></td>
+            <td><%= submit_tag "Update", :class => "btn btn-primary", :style => "width: 70px" %></td>
+          <% end %>
           <td><%= number_to_currency(Product.find(key).price/100.000 * value.to_f) %></td>
           <% total += Product.find(key).price/100.000 * value.to_f %>
           <td><%= link_to 'Delete', cart_product_path(product_id: key, id: params[:id]), data: { confirm: 'Are you sure?' }, method: :delete,
@@ -25,14 +30,11 @@
           </tr>
       <% end %>
       <tr>
-        <td>Total</td>
-        <td></td>
-        <td></td>
+        <td colspan="4">Total</td>
         <td> <%= number_to_currency(total) %></td>
       </tr>
       <tr>
-        <td><%= link_to 'Back', products_path, class: "btn btn-danger" %></td>
-        <td> </td>
+        <td colspan="3"><%= link_to 'Back', products_path, class: "btn btn-danger" %></td>
         <td><%= button_to 'Empty cart', cart_path(id: params[:id]), method: :delete, data: { confirm: 'Are you sure?' }, class: "btn btn-danger" %></td>
         <td><%= link_to 'Checkout', new_cart_path, class: "btn btn-danger" %></td>
         <td> </td>

app/views/devise/sessions/new.html.erb

@@ -6,7 +6,6 @@
       <%= f.label :login %><br />
       <%= f.text_field :login, autofocus: true, class: 'form-control' %>
     </div>
-
     <div class="field">
       <%= f.label :password %><br />
       <%= f.password_field :password, autocomplete: "off", class: 'form-control' %>
@@ -17,13 +16,9 @@
       <% end %>
     <% end -%>
     </div>
-
-
-
     <div class="actions">
       <%= f.submit "Log in", class: "btn btn-primary" %>
     </div>
   <% end %>
-
   <%= render "devise/shared/links" %>
 </div>
\ No newline at end of file

app/views/static_pages/error.html.erb

+<h1>Pages not found!</h1>
\ No newline at end of file

config/routes.rb

@@ -9,11 +9,12 @@ Rails.application.routes.draw do
 
   get 'help' => 'static_pages#help'
   get 'about' => 'static_pages#about'
+  get 'error' => 'static_pages#error'
 
   resources :categories, only: [:index, :show]
   resources :products
   resources :carts
-  resources :cart_products, only: [:create, :destroy]
+  resources :cart_products, only: [:create, :destroy, :update]
   resources :shopping_history, only: [:index]
 
   namespace :admin do