danbooru/app/controllers/users_controller.rb

class UsersController < ApplicationController
  respond_to :html, :xml, :json
  skip_before_action :api_check

  def new
    @user = User.new
    respond_with(@user)
  end

  def edit
    @user = User.find(params[:id])
    check_privilege(@user)
    respond_with(@user)
  end

  def index
    if params[:name].present?
      @user = User.find_by_name!(params[:name])
      redirect_to user_path(@user)
    else
      @users = User.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
      respond_with(@users) do |format|
        format.xml do
          render :xml => @users.to_xml(:root => "users")
        end
        format.json do
          render json: @users.to_json
          expires_in params[:expiry].to_i.days if params[:expiry]
        end
      end
    end
  end

  def search
  end

  def show
    @user = User.find(params[:id])
    respond_with(@user, methods: @user.full_attributes)
  end

  def profile
    @user = CurrentUser.user

    if @user.is_member?
      respond_with(@user, methods: @user.full_attributes, template: "users/show")
    elsif request.format.html?
      redirect_to new_session_path
    else
      raise ActiveRecord::RecordNotFound
    end
  end

  def create
    @user = User.new(user_params(:create))
    if !Danbooru.config.enable_recaptcha? || verify_recaptcha(model: @user)
      @user.save
      if @user.errors.empty?
        session[:user_id] = @user.id
      else
        flash[:notice] = "Sign up failed: #{@user.errors.full_messages.join("; ")}"
      end
      set_current_user
      respond_with(@user)
    else
      flash[:notice] = "Sign up failed"
      redirect_to new_user_path
    end
  end

  def update
    @user = User.find(params[:id])
    check_privilege(@user)
    @user.update(user_params(:update))
    if @user.errors.any?
      flash[:notice] = @user.errors.full_messages.join("; ")
    else
      flash[:notice] = "Settings updated"
    end
    respond_with(@user) do |format|
      format.html { redirect_back fallback_location: edit_user_path(@user) }
    end
  end

  def custom_style
    @css = CustomCss.parse(CurrentUser.user.custom_style)
    expires_in 10.years
  end

  private

  def check_privilege(user)
    raise User::PrivilegeError unless (user.id == CurrentUser.id || CurrentUser.is_admin?)
  end

  def user_params(context)
    permitted_params = %i[
      password old_password password_confirmation email
      comment_threshold default_image_size favorite_tags blacklisted_tags
      time_zone per_page custom_style

      receive_email_notifications always_resize_images enable_post_navigation
      new_post_navigation_layout enable_privacy_mode
      enable_sequential_post_navigation hide_deleted_posts style_usernames
      enable_auto_complete show_deleted_children
      disable_categorized_saved_searches disable_tagged_filenames
      enable_recent_searches disable_cropped_thumbnails disable_mobile_gestures
      enable_safe_mode disable_responsive_mode disable_post_tooltips
      enable_recommended_posts opt_out_tracking
    ]

    permitted_params += [dmail_filter_attributes: %i[id words]]
    permitted_params << :name if context == :create
    permitted_params << :level if CurrentUser.is_admin?

    params.require(:user).permit(permitted_params)
  end
end