week12 auth and user roles

Gemfile

@@ -25,7 +25,7 @@ gem "stimulus-rails"
 gem "jbuilder"
 
 # Use Active Model has_secure_password [https://guides.rubyonrails.org/active_model_basics.html#securepassword]
-# gem "bcrypt", "~> 3.1.7"
+gem "bcrypt", "~> 3.1.7"
 
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem "tzinfo-data", platforms: %i[ windows jruby ]
@@ -50,6 +50,11 @@ gem "thruster", require: false
 group :development do
   # Use console on exceptions pages [https://github.com/rails/web-console]
   gem "web-console"
+
+  gem "rubocop-rails", require: false
+  gem "rubocop-performance", require: false
+  gem "rubocop-rspec", require: false
+  gem "rubocop-rspec_rails", require: false
 end
 
 group :development, :test do
@@ -68,12 +73,3 @@ group :development, :test do
 
   gem "rspec-rails", "~> 8.0.0"
 end
-group :development do
-  # Use console on exceptions pages [https://github.com/rails/web-console]
-  gem "web-console"
-
-  gem "rubocop-rails", require: false
-  gem "rubocop-performance", require: false
-  gem "rubocop-rspec", require: false
-  gem "rubocop-rspec_rails", require: false
-end

Gemfile.lock

@@ -74,6 +74,7 @@ GEM
       uri (>= 0.13.1)
     ast (2.4.3)
     base64 (0.3.0)
+    bcrypt (3.1.20)
     bcrypt_pbkdf (1.1.1)
     bcrypt_pbkdf (1.1.1-arm64-darwin)
     bcrypt_pbkdf (1.1.1-x86_64-darwin)
@@ -401,6 +402,7 @@ PLATFORMS
   x86_64-linux-musl
 
 DEPENDENCIES
+  bcrypt (~> 3.1.7)
   bootsnap
   brakeman
   debug
@@ -411,13 +413,10 @@ DEPENDENCIES
   puma (>= 5.0)
   rails (~> 8.0.2)
   rails_db
-
   rspec-rails (~> 8.0.0)
-
   rubocop
   rubocop-performance
   rubocop-rails
-
   rubocop-rails-omakase
   rubocop-rspec
   rubocop-rspec_rails

app/controllers/application_controller.rb

@@ -1,4 +1,23 @@
 class ApplicationController < ActionController::Base
-  # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
-  allow_browser versions: :modern
+  helper_method :current_user, :logged_in?
+
+  def current_user
+    @current_user ||= User.find_by(id: session[:user_id]) if session[:user_id]
+  end
+
+  def logged_in?
+    current_user.present?
+  end
+
+  private
+
+    def require_admin
+      unless current_user&.role == "admin"
+        flash[:alert] = "You do not have permission to do that."
+        redirect_to root_path
+      end
+    end
+
+    # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
+    allow_browser versions: :modern
 end

app/controllers/artists_controller.rb

@@ -1,6 +1,6 @@
 class ArtistsController < ApplicationController
   def index
-    @artists = Artist.all
+    @artists = Artist.alphabetical
   end
 
   def show
@@ -14,7 +14,7 @@ def new
   def create
     @artist = Artist.new(artist_params)
     if @artist.save
-      redirect_to @artist, notice: "Artist Created"
+      redirect_to new_track_path(artist_id: @artist.id), notice: "Artist Created"
     else
       render :new, status: :unprocessable_entity
     end

app/controllers/sessions_controller.rb

@@ -0,0 +1,22 @@
+class SessionsController < ApplicationController
+  def new
+    # renders the login form
+  end
+
+  def create
+    user = User.find_by(username: params[:username])
+    if user&.authenticate(params[:password])
+      session[:user_id] = user.id
+      session[:role] = user.role
+      redirect_to root_path, notice: "Logged in as #{user.username}"
+    else
+      flash.now[:alert] = "Invalid username or password"
+      render :new, status: :unprocessable_entity
+    end
+  end
+
+  def destroy
+    reset_session
+    redirect_to root_path, notice: "Logged out"
+  end
+end

app/controllers/tracks_controller.rb

@@ -1,4 +1,5 @@
 class TracksController < ApplicationController
+  before_action :require_admin, only: [ :destroy ]
   def index
     @tracks = Track.all
   end
@@ -9,6 +10,10 @@ def show
 
   def new
     @track = Track.new
+    @artists = Artist.alphabetical
+    if params[:artist_id].present?
+      @track.artist_id = params[:artist_id]
+    end
   end
 
   def create

app/helpers/sessions_helper.rb

@@ -0,0 +1,2 @@
+module SessionsHelper
+end

app/models/artist.rb

@@ -3,10 +3,13 @@ class Artist < ApplicationRecord
 
   validates :name, presence: true
 
+  # alpha scope
+  scope :alphabetical, -> { order("LOWER(name) ASC") }
+
   # logic for sample connections, artist + method + each loop
   def sampled_by
     Track.joins(:artist, :samples_used)
-       .where(samples: { source_track_id: tracks.select(:id) })
-       .select("tracks.title AS track_title, artists.name AS artist_name")
+         .where(samples: { source_track_id: tracks.select(:id) })
+         .select("tracks.title AS track_title, artists.name AS artist_name")
   end
 end

app/models/track.rb

@@ -1,5 +1,5 @@
 class Track < ApplicationRecord
-  belongs_to :user, optional: true
+  belongs_to :user
   belongs_to :artist
 
   has_many :comments, dependent: :destroy

app/models/user.rb

@@ -3,6 +3,8 @@ class User < ApplicationRecord
   has_many :comments
   # TODO gameplan user.delete, what happens to their entries and comments.
 
+  has_secure_password
+
   validates :email, presence: true, uniqueness: true
   validates :username, presence: true, uniqueness: true
 

app/views/layouts/application.html.erb

@@ -22,7 +22,22 @@
     <%= javascript_importmap_tags %>
   </head>
 
-  <body>
-    <%= yield %>
-  </body>
+ <body>
+  <% if flash[:notice] %>
+    <p class="notice"><%= flash[:notice] %></p>
+  <% end %>
+
+  <% if flash[:alert] %>
+    <p class="alert"><%= flash[:alert] %></p>
+  <% end %>
+
+    <% if logged_in? %>
+    <p>Logged in as <%= current_user.username %></p>
+    <%= button_to "Logout", logout_path, method: :delete %>
+  <% else %>
+    <%= link_to "Login", login_path %>
+  <% end %>
+
+  <%= yield %>
+</body>
 </html>

app/views/sessions/create.html.erb

@@ -0,0 +1,2 @@
+<h1>Sessions#create</h1>
+<p>Find me in app/views/sessions/create.html.erb</p>

app/views/sessions/destroy.html.erb

@@ -0,0 +1,2 @@
+<h1>Sessions#destroy</h1>
+<p>Find me in app/views/sessions/destroy.html.erb</p>

app/views/sessions/new.html.erb

@@ -0,0 +1,17 @@
+<h1>Login</h1>
+
+<%= form_with url: login_path, local: true do |form| %>
+  <div>
+    <%= form.label :username %><br>
+    <%= form.text_field :username %>
+  </div>
+
+  <div>
+    <%= form.label :password %><br>
+    <%= form.password_field :password %>
+  </div>
+
+  <div>
+    <%= form.submit "Login" %>
+  </div>
+<% end %>

app/views/tracks/_form.html.erb

@@ -17,7 +17,7 @@
 
   <div>
     <%= form.label :artist_id, "Artist" %><br>
-    <%= form.collection_select :artist_id, Artist.all, :id, :name, prompt: "Choose an artist" %>
+    <%= form.collection_select :artist_id, @artists, :id, :name, prompt: "Choose an artist" %>
   </div>
   <p>
     <%= link_to "Add New Artist", new_artist_path %>

app/views/tracks/show.html.erb

@@ -11,7 +11,7 @@
   <ul>
     <% @track.sampled_tracks.each do |source| %>
       <li><%= link_to source.title, track_path(source) %> - 
-      <%= link_to source.artist.name, artist_path(source) %></li>
+      <%= link_to source.artist.name, artist_path(source.artist) %></li>
     <% end %>
   </ul>
 <% else %>
@@ -24,7 +24,7 @@
   <ul>
     <% @track.sampled_by_tracks.each do |derived| %>
       <li><%= link_to derived.title, track_path(derived) %> - 
-      <%= link_to derived.artist.name, artist_path(derived) %></li>
+      <%= link_to derived.artist.name, artist_path(derived.artist) %></li>
     <% end %>
   </ul>
 <% else %>

config/routes.rb

@@ -1,18 +1,17 @@
 Rails.application.routes.draw do
-  # Define your application routes per the DSL in https://guides.rubyonrails.org/routing.html
   resources :artists, only: [ :index, :show, :new, :create ]
   resources :tracks,  only: [ :index, :show, :new, :create, :edit, :update, :destroy ]
 
   get "/dashboard", to: "dashboard#index"
 
-  # Reveal health status on /up that returns 200 if the app boots with no exceptions, otherwise 500.
-  # Can be used by load balancers and uptime monitors to verify that the app is live.
-  get "up" => "rails/health#show", as: :rails_health_check
+  # session routes
+  get "login",  to: "sessions#new"
+  post "login", to: "sessions#create"
+  delete "logout", to: "sessions#destroy"
 
-  # Render dynamic PWA files from app/views/pwa/* (remember to link manifest in application.html.erb)
-  # get "manifest" => "rails/pwa#manifest", as: :pwa_manifest
-  # get "service-worker" => "rails/pwa#service_worker", as: :pwa_service_worker
+  # health check
+  get "up" => "rails/health#show", as: :rails_health_check
 
-  # Defines the root path route ("/")
-  # root "posts#index"
+  # ("/") makes root dashboard
+  root "dashboard#index"
 end

db/migrate/20251007212920_add_password_digest_to_users.rb

@@ -0,0 +1,5 @@
+class AddPasswordDigestToUsers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :users, :password_digest, :string
+  end
+end

db/migrate/20251007214251_add_role_to_users.rb

@@ -0,0 +1,5 @@
+class AddRoleToUsers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :users, :role, :string, null: false, default: "user"
+  end
+end