changes for pundit

This commit is contained in:
Connor Turland 2016-03-12 09:37:32 +11:00
parent 669b337d04
commit 450db5eb8d
9 changed files with 19 additions and 110 deletions

View file

@ -1,5 +1,6 @@
class ApplicationController < ActionController::Base
include Pundit
include PunditExtra
rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized
protect_from_forgery

View file

@ -4,8 +4,8 @@ class MainController < ApplicationController
include UsersHelper
include SynapsesHelper
after_action :verify_authorized, except: :index
after_action :verify_policy_scoped, only: :index
# after_action :verify_authorized, except: :index
# after_action :verify_policy_scoped, only: :index
respond_to :html, :json

View file

@ -1,8 +1,8 @@
class MapsController < ApplicationController
before_action :require_user, only: [:create, :update, :screenshot, :destroy]
after_action :verify_authorized, except: :activemaps, :featuredmaps, :mymaps, :usermaps
after_action :verify_policy_scoped, only: :activemaps, :featuredmaps, :mymaps, :usermaps
after_action :verify_authorized, except: [:activemaps, :featuredmaps, :mymaps, :usermaps]
after_action :verify_policy_scoped, only: [:activemaps, :featuredmaps, :mymaps, :usermaps]
respond_to :html, :json
@ -68,11 +68,7 @@ class MapsController < ApplicationController
# GET maps/:id
def show
@map = Map.find(params[:id])
authorize! @map
if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return
end
authorize @map
respond_to do |format|
format.html {
@ -86,18 +82,14 @@ class MapsController < ApplicationController
respond_with(@allmappers, @allmappings, @allsynapses, @alltopics, @map)
}
format.json { render json: @map }
format.json { render json: @map.as_json }
end
end
# GET maps/:id/contains
def contains
@map = Map.find(params[:id])
authorize! @map
if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return
end
authorize @map
@allmappers = @map.contributors
@alltopics = @map.topics.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) }
@ -140,7 +132,7 @@ class MapsController < ApplicationController
mapping.xloc = topic[1]
mapping.yloc = topic[2]
@map.topicmappings << mapping
authorize! mapping, :create
authorize mapping, :create
mapping.save
end
@ -153,7 +145,7 @@ class MapsController < ApplicationController
mapping.map = @map
mapping.mappable = Synapse.find(synapse_id)
@map.synapsemappings << mapping
authorize! mapping, :create
authorize mapping, :create
mapping.save
end
end
@ -161,7 +153,7 @@ class MapsController < ApplicationController
@map.arranged = true
end
authorize! @map
authorize @map
if @map.save
respond_to do |format|
@ -177,12 +169,10 @@ class MapsController < ApplicationController
# PUT maps/:id
def update
@map = Map.find(params[:id])
authorize! @map
authorize @map
respond_to do |format|
if !@map
format.json { render json: "unauthorized" }
elsif @map.update_attributes(map_params)
if @map.update_attributes(map_params)
format.json { head :no_content }
else
format.json { render json: @map.errors, status: :unprocessable_entity }
@ -193,7 +183,7 @@ class MapsController < ApplicationController
# POST maps/:id/upload_screenshot
def screenshot
@map = Map.find(params[:id])
authorize! @map
authorize @map
png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1])
StringIO.open(png) do |data|
@ -213,7 +203,7 @@ class MapsController < ApplicationController
# DELETE maps/:id
def destroy
@map = Map.find(params[:id])
authorize! @map
authorize @map
@map.delete
@ -228,6 +218,6 @@ class MapsController < ApplicationController
# Never trust parameters from the scary internet, only allow the white list through.
def map_params
params.require(:map).permit(:id, :name, :arranged, :desc, :permission, :user_id)
params.require(:map).permit(:id, :name, :arranged, :desc, :permission)
end
end

View file

@ -78,36 +78,7 @@ class Map < ActiveRecord::Base
json[:updated_at_clean] = updated_at_str
json
end
##### PERMISSIONS ######
def authorize_to_delete(user)
if (self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'show' Topic, Synapse, or Map
def authorize_to_show(user)
if (self.permission == "private" && self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
def authorize_to_edit(user)
if !user
return false
elsif (self.permission == "private" && self.user != user)
return false
elsif (self.permission == "public" && self.user != user)
return false
end
return self
end
def decode_base64(imgBase64)
decoded_data = Base64.decode64(imgBase64)

View file

@ -34,30 +34,4 @@ class Synapse < ActiveRecord::Base
end
# :nocov:
##### PERMISSIONS ######
# returns false if user not allowed to 'show' Topic, Synapse, or Map
def authorize_to_show(user)
if (self.permission == "private" && self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
def authorize_to_edit(user)
if (self.permission == "private" && self.user != user)
return false
elsif (self.permission == "public" && self.user != user)
return false
end
return self
end
def authorize_to_delete(user)
if (self.user == user || user.admin)
return self
end
return false
end
end

View file

@ -87,31 +87,4 @@ class Topic < ActiveRecord::Base
end
result
end
##### PERMISSIONS ######
# returns false if user not allowed to 'show' Topic, Synapse, or Map
def authorize_to_show(user)
if (self.permission == "private" && self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
def authorize_to_edit(user)
if (self.permission == "private" && self.user != user)
return false
elsif (self.permission == "public" && self.user != user)
return false
end
return self
end
def authorize_to_delete(user)
if (self.user == user || user.admin)
return self
end
return false
end
end

View file

@ -39,7 +39,7 @@ class ApplicationPolicy
# explicitly say they want to (E.g. seeing/editing/deleting private
# maps - they should be able to, but not by accident)
def admin_override
user.admin
user && user.admin
end
def scope

View file

@ -1,7 +1,7 @@
class MapPolicy < ApplicationPolicy
class Scope < Scope
def resolve
scope.where('permission IN ("public", "commons") OR user_id = ?', user.id)
scope.where('maps.permission IN (?) OR maps.user_id = ?', ["public", "commons"], user.id)
end
end

View file

@ -5,7 +5,7 @@ class MappingPolicy < ApplicationPolicy
# it would be nice if we could also base this on the mappable, but that
# gets really complicated. Devin thinks it's OK to SHOW a mapping for
# a private topic, since you can't see the private topic anyways
scope.joins(:maps).where('maps.permission IN ("public", "commons") OR user_id = ?', user.id)
scope.joins(:maps).where('maps.permission IN ("public", "commons") OR maps.user_id = ?', user.id)
end
end