class UserController < ApplicationController

  # Use HubSsoLib for permissions management, as a layer on top of
  # the provision within RForum. The ":nobody" entries are a bit of
  # a hack - any unrecognised role would do, since it means that
  # nobody will ever have that role; thus, no permission.

  @@hubssolib_permissions = HubSsoLib::Permissions.new({
                              :show              => [ :admin, :webmaster, :privileged, :normal ],
                              :list              => [ :admin, :webmaster ],
                              :login             => [ :nobody ],
                              :register          => [ :nobody ],
                              :register_complete => [ :nobody ]
                            })

  def UserController.hubssolib_permissions
    @@hubssolib_permissions
  end

  def login
    @title = l(:login_title)

    if @params['submit']
      user = User.find_by_login(@params['name'], @params['password'])
      if user
        # login successful
        @user = user
        flash[:attention] = "You are now logged in to the forum."
        return_to_last_remembered
      else
        # login failed
        @error = l(:login_failed)
      end
    end

    if @params['i_forgot_my_password']
      user = User.find_by_name(@params['name'])
      if user
        key = user.generate_security_token
        reset_url = url_for({:controller=>'user', :action=>'edit'}) + "?user_id=#{user.id}&key=#{key}"
        Mailer.deliver_reset_password(user, reset_url)

        flash[:attention] = "An e-mail message explaining how to change your password has been sent."
        redirect_to :controller => 'forum', :action => 'list'
      else
        @error = l(:no_user_with_this_name)
      end
    end
  end

  def logout
    @user = Guest.new
    flash[:attention] = "You are now logged out of the forum."
    redirect_to :controller => 'forum', :action => 'list'
  end

  def edit
    @title = l(:user_settings_title)

    if @params['form']
      # some form was submitted (there are several in the user/edit view)
      # need to update user details
      user_id = @params['new_user'].delete('id').to_i
      raise RForum::SecurityError unless @user.can_change_user_settings?(user_id)
      begin
        case @params['form']
        when 'edit_user'
          changeable_fields = ['firstname', 'surname']
          user_params = @params['new_user'].delete_if {|k,v| not changeable_fields.include?(k) }
          User.update(user_id, user_params)
          redirect_to :action => 'edit'
        when 'change_password'
          change_password(user_id, @params['new_user'])
          return_to_last_remembered
        else
          raise ArgumentError.new("Unknown form #{@params['form']}")
        end
      rescue RForum::ValidationError => e
        render_edit_form(e.entity)
      end
    else
      # no form submitted yet; show user details
      render_edit_form(@user)
    end
  end

  def register
    @title = l(:register_title)

    if @params['new_user'].nil?
      # Show form with a new user object
      @new_user = User.new
    else
      begin
        @new_user = User.create(@params['new_user'])
        password = @new_user.tell_and_forget_unencrypted_password

        Mailer.deliver_registration_mail(@new_user, password,
            url_for({ :controller => 'user', :action => 'login' }))

        @title = l(:registration_complete_title)
        render_action 'registration_complete'
      rescue RForum::ValidationError => e
        @new_user = e.entity
        # and go back to the form
      end
    end
  end

  def show
    @title = 'User information'
    begin
      @selected_user = User.find(@params['id'])
    rescue
      @selected_user = Guest.new('Unknown user', '')
    end

    if @params['send_message'] and !@user.guest?
      @text = @params['text'].strip
      if @text.empty?
        @error_message = l(:user_message_empty)
      else
        Mailer.deliver_user_message(@user, @selected_user, @text)
        @message_sent = true
        @text = nil
      end
    end
  end

  def list
    @title = l(:user_list_title)

    @users = User.find_all
  end

protected

  def render_edit_form(user)
    raise RForum::SecurityError.new if user.guest?
    @new_user = user
    # actual password values should always be hidden, even on re-render with errors,
    # because we don't want to pass password values in plain HTML.
    # If user makes a mistake the first time, s/he will have to retype all passwords again.
    @new_user.reset_password_fields
    render_action 'register'
  end

  def change_password(user_id, attributes)
    # make sure that user exists
    user = User.find(user_id)

    # copy the password field values from attributes
    user.new_password = attributes['new_password'].to_s
    user.retyped_password = attributes['retyped_password'].to_s

    if user.new_password != user.retyped_password
      user.errors.add('retyped_password', l(:retyped_password_mismatch))
    end

    if user.new_password.length <  6
      user.errors.add('new_password', l(:password_too_short))
    end
    raise RForum::ValidationError.new(user) unless user.errors.empty?

    user.encrypt_password(user.new_password)
    user.save
  end

end