working on authentication

app/controllers/application_controller.rb

@@ -1,3 +1,3 @@
 class ApplicationController < ActionController::Base
-  protect_from_forgery with: :exception
+  protect_from_forgery with: :exception, prepend: true
 end

app/controllers/schools_controller.rb

@@ -1,11 +1,8 @@
 class SchoolsController < ApplicationController
+  before_action :authenticate_user!, except: [:show]
   before_action :set_school, only: [:admin, :show, :edit, :update, :destroy]
+  before_action :verify_admin, except: [:show, :create, :new]
 
-  # GET /schools
-  # GET /schools.json
-  def index
-    @schools = School.all
-  end
 
   # GET /schools/1
   # GET /schools/1.json
@@ -13,6 +10,9 @@ class SchoolsController < ApplicationController
     @school_categories = @school.school_categories.for_parent_category(@school, nil).sort
   end
 
+  def admin
+  end
+
   # GET /schools/new
   def new
     @school = School.new
@@ -72,4 +72,11 @@ class SchoolsController < ApplicationController
     def school_params
       params.require(:school).permit(:name, :district_id)
     end
+
+    def verify_admin
+      return true if current_user.admin?(@school)
+
+      redirect_to root_path, notice: 'You must be logged in as an admin of that school to access that page.'
+      return false
+    end
 end

app/controllers/users_controller.rb

@@ -0,0 +1,17 @@
+class UsersController < ApplicationController
+
+  def show
+  end
+
+
+  # private
+  #   # Use callbacks to share common setup or constraints between actions.
+  #   def set_district
+  #     @district = District.find(params[:id])
+  #   end
+  #
+  #   # Never trust parameters from the scary internet, only allow the white list through.
+  #   def district_params
+  #     params.require(:district).permit(:name, :state_id)
+  #   end
+end

app/models/user.rb

@@ -3,4 +3,15 @@ class User < ApplicationRecord
   # :confirmable, :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable
+
+  has_many :user_schools
+
+  def schools
+    districts = user_schools.map(&:district).compact.uniq
+    (user_schools.map(&:school) + districts.map(&:schools)).flatten.compact.uniq
+  end
+
+  def admin?(school)
+    schools.index(school).present?
+  end
 end

app/models/user_school.rb

@@ -0,0 +1,7 @@
+class UserSchool < ApplicationRecord
+
+  belongs_to :user
+  belongs_to :school
+  belongs_to :district
+
+end

app/views/schools/admin.html.haml

@@ -65,7 +65,7 @@
           %tbody
             %thead{style: 'font-weight: bold;'}
               %th Name
-              %th Descriptin
+              %th Description
               %th{colspan: 2} Actions
             - @school.recipient_lists.each do |recipient_list|
               %tr.recipient

app/views/schools/index.html.haml

@@ -1,17 +0,0 @@
-%h1 Schools
-%table
-  %thead
-    %tr
-      %th Name
-      %th District
-      %th{:colspan => "3"}
-  %tbody
-    - @schools.each do |school|
-      %tr
-        %td= school.name
-        %td= school.district_id
-        %td= link_to 'Show', school
-        %td= link_to 'Edit', edit_school_path(school)
-        %td= link_to 'Destroy', school, method: :delete, data: { confirm: 'Are you sure?' }
-%br/
-= link_to 'New School', new_school_path

app/views/schools/index.json.jbuilder

@@ -1,4 +0,0 @@
-json.array!(@schools) do |school|
-  json.extract! school, :id, :name, :district_id
-  json.url school_url(school, format: :json)
-end

app/views/users/show.html.haml

@@ -0,0 +1,19 @@
+%h2.text-center= current_user.email
+
+%br
+%br
+%br
+%h3 Schools
+- if current_user.schools.blank?
+  %p
+    %strong None Yet
+- else
+  %table{style: 'width: 100%;'}
+    %tbody
+      %thead{style: 'font-weight: bold;'}
+        %th Name
+        %th{colspan: 2}
+        - current_user.schools.each do |school|
+          %tr.school
+            %td= link_to school.name, school
+            %td= link_to('Admin', school_admin_path(school))