From 89853d3533202bd7894784e3301521bff5e5cea6 Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain@sleede.com>
Date: Tue, 10 May 2022 10:50:41 +0200
Subject: [PATCH] (ui) allow admins to change user password without asking for
 the current

---
 app/controllers/api/members_controller.rb     |  6 +++++
 app/frontend/src/javascript/api/member.ts     |  5 ++++
 .../components/user/change-password.tsx       | 23 +++++++++++++++++--
 app/policies/user_policy.rb                   |  4 ++++
 config/routes.rb                              |  1 +
 5 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/members_controller.rb b/app/controllers/api/members_controller.rb
index f3e3ac575..c5490e889 100644
--- a/app/controllers/api/members_controller.rb
+++ b/app/controllers/api/members_controller.rb
@@ -234,6 +234,12 @@ class API::MembersController < API::ApiController
     render json: @member
   end
 
+  def current
+    @member = current_user
+    authorize @member
+    render json: @member
+  end
+
   private
 
   def set_member
diff --git a/app/frontend/src/javascript/api/member.ts b/app/frontend/src/javascript/api/member.ts
index eeff8d68a..e3610758b 100644
--- a/app/frontend/src/javascript/api/member.ts
+++ b/app/frontend/src/javascript/api/member.ts
@@ -34,4 +34,9 @@ export default class MemberAPI {
     });
     return res?.data;
   }
+
+  static async current (): Promise<User> {
+    const res: AxiosResponse<User> = await apiClient.get('/api/members/current');
+    return res?.data;
+  }
 }
diff --git a/app/frontend/src/javascript/components/user/change-password.tsx b/app/frontend/src/javascript/components/user/change-password.tsx
index cd87f8d1d..27df0179e 100644
--- a/app/frontend/src/javascript/components/user/change-password.tsx
+++ b/app/frontend/src/javascript/components/user/change-password.tsx
@@ -1,4 +1,4 @@
-import React from 'react';
+import React, { useEffect } from 'react';
 import { FabButton } from '../base/fab-button';
 import { FabModal } from '../base/fab-modal';
 import { FormInput } from '../form/form-input';
@@ -8,6 +8,7 @@ import Authentication from '../../api/authentication';
 import { FieldValues } from 'react-hook-form/dist/types/fields';
 import { PasswordInput } from './password-input';
 import { FormState } from 'react-hook-form/dist/types/form';
+import MemberAPI from '../../api/member';
 
 interface ChangePasswordProp<TFieldValues> {
   register: UseFormRegister<TFieldValues>,
@@ -25,9 +26,16 @@ export const ChangePassword = <TFieldValues extends FieldValues>({ register, onE
 
   const [isModalOpen, setIsModalOpen] = React.useState<boolean>(false);
   const [isConfirmedPassword, setIsConfirmedPassword] = React.useState<boolean>(false);
+  const [isPrivileged, setIsPrivileged] = React.useState<boolean>(false);
 
   const { handleSubmit, register: passwordRegister } = useForm<{ password: string }>();
 
+  useEffect(() => {
+    MemberAPI.current().then(user => {
+      setIsPrivileged(user.role === 'admin' || user.role === 'manager');
+    }).catch(error => onError(error));
+  }, []);
+
   /**
    * Opens/closes the dialog asking to confirm the current password before changing it.
    */
@@ -35,6 +43,17 @@ export const ChangePassword = <TFieldValues extends FieldValues>({ register, onE
     setIsModalOpen(!isModalOpen);
   };
 
+  /**
+   * Callback triggered when the user clicks on the "change my password" button
+   */
+  const handleChangePasswordRequested = () => {
+    if (isPrivileged) {
+      setIsConfirmedPassword(true);
+    } else {
+      toggleConfirmationModal();
+    }
+  };
+
   /**
    * Callback triggered when the user confirms his current password.
    */
@@ -59,7 +78,7 @@ export const ChangePassword = <TFieldValues extends FieldValues>({ register, onE
 
   return (
     <div className="change-password">
-      {!isConfirmedPassword && <FabButton onClick={() => toggleConfirmationModal()}>
+      {!isConfirmedPassword && <FabButton onClick={() => handleChangePasswordRequested()}>
         {t('app.shared.change_password.change_my_password')}
       </FabButton>}
       {isConfirmedPassword && <div className="password-fields">
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 2208c4f2d..2c9b28b0c 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -19,6 +19,10 @@ class UserPolicy < ApplicationPolicy
     user.admin? || user.manager? || (record.is_allow_contact && record.member?) || (user.id == record.id)
   end
 
+  def current?
+    user.admin? || user.manager? || (user.id == record.id)
+  end
+
   def update?
     user.admin? || user.manager? || (user.id == record.id)
   end
diff --git a/config/routes.rb b/config/routes.rb
index 08bbb3aaf..2f8de801d 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -55,6 +55,7 @@ Rails.application.routes.draw do
       get '/export_subscriptions', action: 'export_subscriptions', on: :collection
       get '/export_reservations', action: 'export_reservations', on: :collection
       get '/export_members', action: 'export_members', on: :collection
+      get 'current', action: 'current', on: :collection
       put ':id/merge', action: 'merge', on: :collection
       post 'list', action: 'list', on: :collection
       get 'search/:query', action: 'search', on: :collection