railsgoat/app/controllers/admin_controller.rb

# frozen_string_literal: true
class AdminController < ApplicationController
  before_action :administrative, if: :admin_param, except: [:get_user]
  skip_before_action :has_info

  def dashboard
  end

  def analytics
    if params[:field].nil?
      fields = "*"
    else
      fields = custom_fields.join(",")
    end

    if params[:ip]
      @analytics = Analytics.hits_by_ip(params[:ip], fields)
    else
      @analytics = Analytics.all
    end
  end

  def get_all_users
    @users = User.all
  end

  def get_user
    @user = User.find_by_id(params[:admin_id].to_s)
    arr = ["true", "false"]
    @admin_select = @user.admin ? arr : arr.reverse
  end

  def update_user
    user = User.find_by_id(params[:admin_id])
    if user
      # VULNERABILITY: Using params[:user] directly without strong parameters
      # This allows mass assignment of any user attribute including 'admin'
      # See wiki: Extras:-Mass-Assignment-Admin-Role.md
      user_params = params[:user].to_unsafe_h if params[:user].respond_to?(:to_unsafe_h)
      user_params ||= params[:user]

      # Filter out password fields if blank to avoid validation errors
      filtered_params = user_params.reject { |k, v| (k == "password" || k == "password_confirmation") && v.blank? }

      user.update(filtered_params)
      user.save!
      flash[:success] = "User updated successfully"
      redirect_to admin_get_all_users_path(current_user.id)
    else
      flash[:error] = "User not found"
      redirect_to admin_get_all_users_path(current_user.id)
    end
  end

  def delete_user
    user = User.find_by(id: params[:admin_id])
    if user && !(current_user.id == user.id)
      # Call destroy here so that all association records w/ id are destroyed as well
      # Example user.retirement records would be destroyed
      user.destroy
      flash[:success] = "User deleted successfully"
    else
      flash[:error] = "Cannot delete this user"
    end
    redirect_to admin_get_all_users_path(current_user.id)
  end

  private

  def custom_fields
    params.require(:field).keys
  end
  helper_method :custom_fields

  def admin_param
    params[:admin_id] != "1"
  end
end