Add styling to admin user management page and fix form submission
This commit improves the admin user management interface while preserving the intentional mass assignment vulnerability for educational purposes. Changes: 1. Removed layout false from admin controller to enable full styling 2. Modernized admin users table view with Bootstrap components: - Added page header with icon and description - Wrapped table in card component for better visual hierarchy - Updated admin indicator to use Bootstrap icons - Modernized Edit button styling 3. Fixed admin update_user action form submission error: - Previous code caused ForbiddenAttributesError in Rails - Used to_unsafe_h to explicitly bypass strong parameters - VULNERABILITY PRESERVED: This intentionally allows mass assignment - See wiki: Extras:-Mass-Assignment-Admin-Role.md - Fixed password field filtering to handle blank passwords correctly The mass assignment vulnerability is maintained as a teaching example per the OWASP RailsGoat mission. Students can learn about privilege escalation attacks through the admin parameter. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Ken Johnson
@@ -1,41 +1,53 @@
|
||||
<div id="dt_example" class="example_alt_pagination">
|
||||
<table class="table table-striped table-hover table-bordered pull-left" id="data-table">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>
|
||||
Name
|
||||
</th>
|
||||
<th>
|
||||
Email
|
||||
</th>
|
||||
<th>
|
||||
Admin User
|
||||
</th>
|
||||
<th>
|
||||
Action
|
||||
</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<% @users.each do |u|%>
|
||||
<tr>
|
||||
<td style="word-wrap:break-word;">
|
||||
<%= "#{u.first_name} #{u.last_name}"%>
|
||||
</td>
|
||||
<td>
|
||||
<%= u.email%>
|
||||
</td>
|
||||
<td>
|
||||
<%= u.admin ? %{<span class="fs1" aria-label="check" data-icon=""}.html_safe : nil %>
|
||||
</td>
|
||||
<td>
|
||||
<%= link_to "Edit", admin_get_user_path(u.id), {:style => "width:70px", :class => "btn btn-inverse"}%>
|
||||
</td>
|
||||
</tr>
|
||||
<% end %>
|
||||
</tbody>
|
||||
</table>
|
||||
<div class="clearfix">
|
||||
<div class="container-fluid">
|
||||
<!-- Header -->
|
||||
<div class="row mb-4">
|
||||
<div class="col-12">
|
||||
<h2 class="mb-3">
|
||||
<i class="bi bi-people-fill text-primary"></i> Manage Users
|
||||
</h2>
|
||||
<p class="text-muted">View and manage all system users</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- Users Table -->
|
||||
<div class="row">
|
||||
<div class="col-12">
|
||||
<div class="card shadow-sm">
|
||||
<div class="card-body">
|
||||
<div id="dt_example" class="example_alt_pagination">
|
||||
<table class="table table-striped table-hover table-bordered" id="data-table">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<th>Email</th>
|
||||
<th>Admin User</th>
|
||||
<th>Action</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<% @users.each do |u| %>
|
||||
<tr>
|
||||
<td style="word-wrap:break-word;">
|
||||
<%= "#{u.first_name} #{u.last_name}" %>
|
||||
</td>
|
||||
<td>
|
||||
<%= u.email %>
|
||||
</td>
|
||||
<td class="text-center">
|
||||
<%= u.admin ? '<i class="bi bi-check-circle-fill text-success" title="Admin"></i>'.html_safe : '<i class="bi bi-dash-circle text-muted" title="Not Admin"></i>'.html_safe %>
|
||||
</td>
|
||||
<td>
|
||||
<%= link_to admin_get_user_path(u.id), class: "btn btn-sm btn-outline-primary" do %>
|
||||
<i class="bi bi-pencil"></i> Edit
|
||||
<% end %>
|
||||
</td>
|
||||
</tr>
|
||||
<% end %>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
Reference in New Issue
Block a user