Merge branch 'change_citizen_password_route' into 'develop'

Add route to change citizen password by professional

See merge request !83

app/controllers/api/v1/citizens_controller.rb

@@ -19,7 +19,8 @@ module Api::V1
     include HasPolicies
     require 'csv'
 
-    before_action :set_citizen, only: [:picture, :show, :update, :destroy]
+    before_action :set_citizen, only: [:picture, :show, :update,
+                                       :change_password, :destroy]
 
     # GET /citizens
     def index
@@ -40,7 +41,6 @@ module Api::V1
       end
     end
 
-
     # GET /citizens/1/picture
     def picture
       if @citizen.nil?
@@ -107,7 +107,6 @@ module Api::V1
       end
     end
 
-
     # GET /citizens/1
     def show
       if @citizen.nil?
@@ -129,7 +128,6 @@ module Api::V1
       end
     end
 
-
     # POST /citizens
     def create
       success = false
@@ -194,7 +192,6 @@ module Api::V1
       end
     end
 
-
     # DELETE /citizens/1
     def destroy
       if @citizen.nil?
@@ -207,7 +204,7 @@ module Api::V1
           authorize @citizen, :deactivate?
         rescue
           render json: {
-            errors: ["You're not allowed to deativate this citizen."]
+            errors: ["You're not allowed to deactivate this citizen."]
           }, status: 403
           return
         end
@@ -224,6 +221,61 @@ module Api::V1
       end
     end
 
+    # PUT /citizens/1/change_password
+    def change_password
+      if @citizen.nil?
+        render json: {
+          errors: ["User #{params[:id]} does not exist."]
+        }, status: 404
+      else
+        # Allow request only if the citizen is reachable from current user
+        begin
+          authorize @citizen, :change_password?
+        rescue
+          render json: {
+            errors: ["You're not allowed to change password for this citizen."]
+          }, status: 403
+          return
+        end
+
+        if @citizen.email.present?
+          render json: {
+            errors: ["This citizen has an e-mail registered, use it for resetting the password!"]
+          }, status: 401
+          return
+        end
+
+        @account = Account.find(@citizen.account_id)
+        birth_date = @citizen.birth_date.strftime("%Y-%m-%d")
+
+        if(
+            @account.uid != params[:cpf] or
+            birth_date != params[:birth_date]
+        )
+          render json: {
+            errors: ["CPF and birth date do not match!"]
+          }, status: 403
+          return
+        end
+
+        if params[:password] != params[:password_confirmation]
+          render json: {
+            errors: ["Passwords do not match!"]
+          }, status: 403
+          return
+        end
+
+        @account.password = params[:password]
+        @account.password_confirmation = params[:password_confirmation]
+
+        if @account.save!
+          render json: @citizen
+        else
+          render json: @citizen.errors, status: :unprocessable_entity
+        end
+      end
+    end
+
     private
 
     # Use callbacks to share common setup or constraints between actions.

app/policies/citizen_policy.rb

@@ -27,7 +27,7 @@ class CitizenPolicy < ApplicationPolicy
 
       city_id = professional.professionals_service_places
         .find(user[1]).service_place.city_id
-      
+
       return case permission
       when "adm_c3sl"
         scope.all_active.where.not(id: citizen.id)
@@ -56,7 +56,7 @@ class CitizenPolicy < ApplicationPolicy
     permission = Professional.get_permission(user[1])
 
     if permission == "citizen"
-      return condition 
+      return condition
     end
 
     professional = citizen.professional
@@ -95,10 +95,14 @@ class CitizenPolicy < ApplicationPolicy
   end
 
   def schedule?
-    return access_policy(user, ((user[0].id == record.id) || 
+    return access_policy(user, ((user[0].id == record.id) ||
                                 (record.responsible_id == user[0].id)))
   end
 
+  def change_password?
+    return access_policy(user, false)
+  end
+
   def show_picture?
     citizen = user[0]
     permission = Professional.get_permission(user[1])
@@ -114,7 +118,7 @@ class CitizenPolicy < ApplicationPolicy
 
     return case
     when permission == "adm_c3sl"
-      return true 
+      return true
 
     when permission == "adm_prefeitura"
       return ((citizen.id == record.id) or (city_id == record.city_id))
@@ -131,8 +135,8 @@ class CitizenPolicy < ApplicationPolicy
   end
 
   private
-  
-  # Generic method for checking permissions when show/accessing/modifying 
+
+  # Generic method for checking permissions when show/accessing/modifying
   # citizens. It is used for avoiding code repetition in citizen's policy
   # methods.
   #
@@ -144,7 +148,7 @@ class CitizenPolicy < ApplicationPolicy
     permission = Professional.get_permission(user[1])
 
     if permission == "citizen"
-      return condition 
+      return condition
     end
 
     professional = citizen.professional

config/routes.rb

@@ -34,6 +34,7 @@ Rails.application.routes.draw do
         resources :dependants
         member do
           get 'picture'
+          put 'change_password'
         end
       end