This commit improves the admin user management interface while preserving
the intentional mass assignment vulnerability for educational purposes.
Changes:
1. Removed layout false from admin controller to enable full styling
2. Modernized admin users table view with Bootstrap components:
- Added page header with icon and description
- Wrapped table in card component for better visual hierarchy
- Updated admin indicator to use Bootstrap icons
- Modernized Edit button styling
3. Fixed admin update_user action form submission error:
- Previous code caused ForbiddenAttributesError in Rails
- Used to_unsafe_h to explicitly bypass strong parameters
- VULNERABILITY PRESERVED: This intentionally allows mass assignment
- See wiki: Extras:-Mass-Assignment-Admin-Role.md
- Fixed password field filtering to handle blank passwords correctly
The mass assignment vulnerability is maintained as a teaching example per
the OWASP RailsGoat mission. Students can learn about privilege escalation
attacks through the admin parameter.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove complex modal implementation and replace with simple page navigation:
- Convert get_user view from modal partial to full edit page
- Add proper form with Bootstrap 5 styling
- Link directly from users list to edit page
- Update controller actions to redirect instead of returning JSON
- Add flash messages for success/error feedback
- Remove all modal JavaScript and markup
- Remove modal CSS and backdrop handling
Benefits:
- Much simpler and more maintainable
- No JavaScript errors or complexity
- Standard Rails CRUD pattern
- Better user experience with proper navigation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Bootstrap 5 removed jQuery plugin support, so .modal('show') doesn't work.
Switch back to native Bootstrap 5 Modal API with proper initialization:
- Dispose of any existing modal instance before creating new one
- Create modal with explicit options (backdrop, keyboard, focus)
- Add detailed console logging for each step
This ensures the modal is properly initialized before showing.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Switch from bootstrap.Modal class to jQuery .modal('show') method.
Bootstrap 5 still supports the jQuery plugin API for backwards
compatibility, and this method handles initialization automatically.
This should fix the issue where modal.show() was called but the
modal wasn't appearing visually.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Log modal element to verify it exists
- Check for existing modal instance before creating new one
- Log each step of modal creation and show process
This helps identify why modal.show() isn't displaying the modal.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add console logging to openEditModal function to debug AJAX load
- Add explicit id and name attributes to admin select field
- Only show modal after content successfully loads
- Log errors if modal content fails to load
This helps diagnose the modal loading issue and fixes the Chrome
warning about form fields lacking id/name attributes.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add 'return false;' to onClick handler to prevent the # href
from causing page navigation/redirect to dashboard.
This fixes the issue where clicking Edit would redirect to
/admin/1/dashboard# instead of opening the modal.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fix "Illegal invocation" JavaScript error when opening edit modal:
- Remove Bootstrap 2 'hide' class from modal markup
- Add proper Bootstrap 5 modal structure (modal-dialog/modal-content)
- Update JavaScript to use Bootstrap 5 Modal API
- Load dynamic content into .modal-content instead of root modal
- Remove legacy data-toggle attribute from button
The modal now uses the correct Bootstrap 5.3 structure and API,
resolving selector-engine.js errors.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* add 'aria-label' into some elements without the label
* add 'aris-label' into some visual elements
* replace some 'a' elements have a button action to 'button'
no functional change here, but familiar Rails users will see view files in the
locations they expect. this also slightly simplifies controller code
there is one attendant change in the wiki at `rails_3/A1-SQL-Injection-Interpolation.md`
that I'm happy to make after the PR is merged.
Ken Johnson