Fix bugs: Phan trang, show errors, SQL Injection, review code...

777c305a · Nguyen Quoc Kien · bd0447a0 · 777c305a · 777c305a · 777c305a
Commit 777c305a authored Aug 04, 2015 by Nguyen Quoc Kien
17 changed files
--- a/app/controllers/admin/products_controller.rb
+++ b/app/controllers/admin/products_controller.rb
 class Admin::ProductsController < ApplicationController
  before_action :find_product, only: [:destroy, :edit,:update]
+  before_action :get_categories, only: [:edit,:update, :new,:create]
  before_action :authenticate_admin!
+  before_action :check_page, only: [:index]
  def index
    @products = Product.paginate(page: params[:page]).per_page(50)
@@ -18,11 +20,6 @@ class Admin::ProductsController < ApplicationController
  def new
    @product = Product.new
-    @categories = Category.all
-  end
-  def edit
-    @categories = Category.all
  end
  def create
@@ -31,8 +28,7 @@ class Admin::ProductsController < ApplicationController
      flash[:success] = "Create product : Success"
      redirect_to admin_products_path
    else
-      flash[:danger] = "Error: New product"
+      render :new
-      redirect_to new_admin_product_path
    end
  end
@@ -41,8 +37,7 @@ class Admin::ProductsController < ApplicationController
      flash[:success] = "Update product : Success"
      redirect_to admin_products_path
    else
-      flash[:danger] = "Error: Update product"
+      render :edit
-      redirect_to edit_admin_product_path(id: params[:id])
    end
  end
@@ -55,4 +50,8 @@ class Admin::ProductsController < ApplicationController
  def product_params
    params.require(:product).permit(:category_id, :name, :price, :image, :description)
  end
+  def get_categories
+    @categories = Category.all
+  end
 end
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
 class Admin::UsersController < ApplicationController
  before_action :authenticate_admin!
+  before_action :check_page, only: [:index]
  def index
    @users = User.paginate(page: params[:page]).per_page(21)

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -28,4 +28,17 @@ class ApplicationController < ActionController::Base
    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:login, :username, :email, :password, :remember_me) }
    devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:username, :email, :password, :password_confirmation, :current_password) }
  end
+  def check_page
+    if (params[:page].to_i <= 0)
+      params[:page] = 1
+    end
+    if is_number?(params[:page]) == false
+      params[:page] = 1
+    end
+  end
+  def is_number? string
+    true if Float(string) rescue false
+  end
 end
--- a/app/controllers/cart_products_controller.rb
+++ b/app/controllers/cart_products_controller.rb
 class CartProductsController < ApplicationController
-  before_action :set_cart, only: [:create]
+  before_action :set_cart, only: [:create, :update]
  before_action :check_quantity?, only: [:create]
  def create
@@ -9,11 +9,22 @@ class CartProductsController < ApplicationController
      redirect_to cart_path(id: @user_id)
      flash[:success] = 'Products add to cart'
    else
-      redirect_to cart_path(id: @user_id)
+      redirect_to products_path
-        flash[:success] = 'Errors: Quantity'
+      flash[:danger] = 'Errors: Quantity'
    end
  end
+  def update
+    product = Product.find(params[:product_id])
+    if check_quantity?
+      update_product_to_cart(product.id.to_i, params[:quantity].to_i )
+      redirect_to cart_path(id: @user_id)
+      flash[:success] = 'Update successful'
+    else
+      redirect_to cart_path(id: @user_id)
+      flash[:danger] = 'Errors: Quantity'
+    end
+  end
  def destroy
    session[params[:id]].delete(params[:product_id])
@@ -25,15 +36,24 @@ class CartProductsController < ApplicationController
  def add_product_to_cart(product_id, number)
    number ||= 1
    i = 0
-    @session[@user_id].each do |key, value|
+    session[@user_id].each do |key, value|
      if (key == product_id.to_s)
-       @session[@user_id][key] = number +value
+       session[@user_id][key] = number +value
       i = 1
       break
     end
    end
    if (i == 0)
-      @session[@user_id][product_id] = number
+      session[@user_id][product_id] = number
+    end
+  end
+  def update_product_to_cart(product_id, number)
+    session[@user_id].each do |key, value|
+      if (key == product_id.to_s)
+       session[@user_id][key] = number
+       break
+     end
    end
  end

--- a/app/controllers/carts_controller.rb
+++ b/app/controllers/carts_controller.rb
 class CartsController < ApplicationController
  def new
    @cart = Cart.new
  end
@@ -24,8 +23,7 @@ class CartsController < ApplicationController
      flash[:success] = "Email to send"
      redirect_to products_path
    else
-      flash[:danger] = "Error: Create carts"
+      render :new
-      redirect_to :back
    end
  end

--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
 class CategoriesController < ApplicationController
+   before_action :find_category, only: [:show]
+   before_action :check_page, only: [:show]
  def index
    @categories = Category.all
  end
  def show
    @categories = Category.all
-    @category = Category.find(params[:id])
    @current_category = @category.id
    @products = @category.products.paginate(page: params[:page]).per_page(15)
  end
+  private
+  def find_category
+    if params[:id].to_i > (Category.count + 1)
+      redirect_to error_path
+    else
+      @category = Category.find(params[:id])
+    end
+  end
 end
--- a/app/controllers/products_controller.rb
+++ b/app/controllers/products_controller.rb
 class ProductsController < ApplicationController
  before_action :find_product, only: [:show]
+  before_action :check_page, only: [:index]
  def index
    @products = Product.paginate(page: params[:page]).per_page(21)
@@ -13,7 +14,11 @@ class ProductsController < ApplicationController
  private
  def find_product
-    @product = Product.find(params[:id])
+    if params[:id].to_i > (Product.count + 1)
+      redirect_to error_path
+    else
+      @product = Product.find(params[:id])
+    end
  end
 end
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
 class SearchController < ApplicationController
+  before_action :check_page, only: [:search]
  def search
    if params[:keyword].nil?

--- a/app/controllers/shopping_history_controller.rb
+++ b/app/controllers/shopping_history_controller.rb
 class ShoppingHistoryController < ApplicationController
+  before_action :authenticate_user!
  def index
    @user = User.find(current_user.id)
    @carts_to_user = Cart.where(user_id: @user.id)

--- a/app/models/product.rb
+++ b/app/models/product.rb
@@ -18,7 +18,7 @@ class Product < ActiveRecord::Base
  def self.search(keyword)
-    Product.where("name like '%?%'", keyword)
+    Product.where("name like ?", "%#{keyword}%" )
  end
  private

--- a/app/views/admin/carts/_show_to_buyers.html.erb
+++ b/app/views/admin/carts/_show_to_buyers.html.erb
@@ -45,14 +45,12 @@
    </tr>
    <tr>
      <td>Status: </td>
-      <td colspan="3"><%= cart.status %></td>
+      <td colspan="2"><%= cart.status %></td>
-    </tr>
+      <td><% if cart.status != "Finish" %>
-    <tr>
+        <%= button_to 'Next',admin_cart_path(id: cart.id, user_id: "buyers"), method: :put , class: "btn btn-primary" %>
-      <% if cart.status != "Finish" %>
-        <td colspan="4" style="text-align:right"><%= button_to 'Next',admin_cart_path(id: cart.id, user_id: "buyers"), method: :put , class: "btn btn-primary" %></td>
      <% else %>
-        <td colspan="4" style="text-align:right"><%= link_to 'Finished',"#" , class: "btn btn-danger" %></td>
+        <%= link_to 'Finished',"#" , class: "btn btn-danger" %>
-      <% end %>
+      <% end %></td>
    </tr>
  <% end %>
  <tr>

--- a/app/views/admin/carts/_show_to_user_id.html.erb
+++ b/app/views/admin/carts/_show_to_user_id.html.erb
@@ -45,14 +45,14 @@
    </tr>
    <tr>
      <td>Status: </td>
-      <td colspan="3"><%= cart_to_user.status %></td>
+      <td colspan="2"><%= cart_to_user.status %></td>
-    </tr>
+      <td>
-    <tr>
+        <% if cart_to_user.status != "Finish" %>
-      <% if cart_to_user.status != "Finish" %>
+          <%= button_to 'Next',admin_cart_path(id: cart_to_user.id, user_id: @user.id), method: :put , class: "btn btn-primary" %>
-        <td colspan="4" style="text-align:right"><%= button_to 'Next',admin_cart_path(id: cart_to_user.id, user_id: @user.id), method: :put , class: "btn btn-primary" %></td>
+        <% else %>
-      <% else %>
+          <%= link_to 'Finished',"#" , class: "btn btn-danger" %>
-        <td colspan="4" style="text-align:right"><%= link_to 'Finished',"#" , class: "btn btn-danger" %></td>
+        <% end %>
-      <% end %>
+      </td>
    </tr>
  <% end %>
  <tr>

--- a/app/views/carts/new.html.erb
+++ b/app/views/carts/new.html.erb
 <% provide(:title, "Order") %>
 <div class="row">
+  <% if @cart.errors.any? %>
+  <div id="error_explanation">
+    <div class="alert alert-danger">
+      The form contains <%= pluralize(@cart.errors.count, "error") %>.
+    </div>
+    <ul>
+    <% @cart.errors.full_messages.each do |msg| %>
+      <li><%= msg %></li>
+    <% end %>
+    </ul>
+  </div>
+<% end %>
  <div class="col-md-6 col-md-offset-3">
  <h1>Đăng ký thông tin nhận hàng</h1>
    <%= form_for @cart do |f| %>

--- a/app/views/carts/show.html.erb
+++ b/app/views/carts/show.html.erb
@@ -7,6 +7,7 @@
        <th>Product name</th>
        <th>Price</th>
        <th>Quantity</th>
+        <th>Update</th>
        <th>Total price</th>
        <th>Delete</th>
      </tr>
@@ -17,7 +18,11 @@
        <tr>
          <td><%= Product.find(key).name %>
          <td><%= number_to_currency(Product.find(key).price/100.00) %></td>
-          <td><%= value %></td>
+          <%= form_tag cart_product_path, method: :PATCH do %>
+            <%= hidden_field_tag :product_id, key %>
+            <td><%= number_field_tag :quantity, "#{value}", class: 'form-control', :style => "width: 70px"%></td>
+            <td><%= submit_tag "Update", :class => "btn btn-primary", :style => "width: 70px" %></td>
+          <% end %>
          <td><%= number_to_currency(Product.find(key).price/100.000 * value.to_f) %></td>
          <% total += Product.find(key).price/100.000 * value.to_f %>
          <td><%= link_to 'Delete', cart_product_path(product_id: key, id: params[:id]), data: { confirm: 'Are you sure?' }, method: :delete,
@@ -25,14 +30,11 @@
          </tr>
      <% end %>
      <tr>
-        <td>Total</td>
+        <td colspan="4">Total</td>
-        <td></td>
-        <td></td>
        <td> <%= number_to_currency(total) %></td>
      </tr>
      <tr>
-        <td><%= link_to 'Back', products_path, class: "btn btn-danger" %></td>
+        <td colspan="3"><%= link_to 'Back', products_path, class: "btn btn-danger" %></td>
-        <td> </td>
        <td><%= button_to 'Empty cart', cart_path(id: params[:id]), method: :delete, data: { confirm: 'Are you sure?' }, class: "btn btn-danger" %></td>
        <td><%= link_to 'Checkout', new_cart_path, class: "btn btn-danger" %></td>
        <td> </td>

--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -6,7 +6,6 @@
      <%= f.label :login %><br />
      <%= f.text_field :login, autofocus: true, class: 'form-control' %>
    </div>
    <div class="field">
      <%= f.label :password %><br />
      <%= f.password_field :password, autocomplete: "off", class: 'form-control' %>
@@ -17,13 +16,9 @@
      <% end %>
    <% end -%>
    </div>
    <div class="actions">
      <%= f.submit "Log in", class: "btn btn-primary" %>
    </div>
  <% end %>
  <%= render "devise/shared/links" %>
 </div>
\ No newline at end of file
--- a/app/views/static_pages/error.html.erb
+++ b/app/views/static_pages/error.html.erb
+<h1>Pages not found!</h1>
\ No newline at end of file
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -9,11 +9,12 @@ Rails.application.routes.draw do
  get 'help' => 'static_pages#help'
  get 'about' => 'static_pages#about'
+  get 'error' => 'static_pages#error'
  resources :categories, only: [:index, :show]
  resources :products
  resources :carts
-  resources :cart_products, only: [:create, :destroy]
+  resources :cart_products, only: [:create, :destroy, :update]
  resources :shopping_history, only: [:index]
  namespace :admin do