changes for pundit

This commit is contained in:
Connor Turland 2016-03-12 09:37:32 +11:00
parent 669b337d04
commit 450db5eb8d
9 changed files with 19 additions and 110 deletions

View file

@ -1,5 +1,6 @@
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
include Pundit include Pundit
include PunditExtra
rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized
protect_from_forgery protect_from_forgery

View file

@ -4,8 +4,8 @@ class MainController < ApplicationController
include UsersHelper include UsersHelper
include SynapsesHelper include SynapsesHelper
after_action :verify_authorized, except: :index # after_action :verify_authorized, except: :index
after_action :verify_policy_scoped, only: :index # after_action :verify_policy_scoped, only: :index
respond_to :html, :json respond_to :html, :json

View file

@ -1,8 +1,8 @@
class MapsController < ApplicationController class MapsController < ApplicationController
before_action :require_user, only: [:create, :update, :screenshot, :destroy] before_action :require_user, only: [:create, :update, :screenshot, :destroy]
after_action :verify_authorized, except: :activemaps, :featuredmaps, :mymaps, :usermaps after_action :verify_authorized, except: [:activemaps, :featuredmaps, :mymaps, :usermaps]
after_action :verify_policy_scoped, only: :activemaps, :featuredmaps, :mymaps, :usermaps after_action :verify_policy_scoped, only: [:activemaps, :featuredmaps, :mymaps, :usermaps]
respond_to :html, :json respond_to :html, :json
@ -68,11 +68,7 @@ class MapsController < ApplicationController
# GET maps/:id # GET maps/:id
def show def show
@map = Map.find(params[:id]) @map = Map.find(params[:id])
authorize! @map authorize @map
if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return
end
respond_to do |format| respond_to do |format|
format.html { format.html {
@ -86,18 +82,14 @@ class MapsController < ApplicationController
respond_with(@allmappers, @allmappings, @allsynapses, @alltopics, @map) respond_with(@allmappers, @allmappings, @allsynapses, @alltopics, @map)
} }
format.json { render json: @map } format.json { render json: @map.as_json }
end end
end end
# GET maps/:id/contains # GET maps/:id/contains
def contains def contains
@map = Map.find(params[:id]) @map = Map.find(params[:id])
authorize! @map authorize @map
if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return
end
@allmappers = @map.contributors @allmappers = @map.contributors
@alltopics = @map.topics.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) } @alltopics = @map.topics.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) }
@ -140,7 +132,7 @@ class MapsController < ApplicationController
mapping.xloc = topic[1] mapping.xloc = topic[1]
mapping.yloc = topic[2] mapping.yloc = topic[2]
@map.topicmappings << mapping @map.topicmappings << mapping
authorize! mapping, :create authorize mapping, :create
mapping.save mapping.save
end end
@ -153,7 +145,7 @@ class MapsController < ApplicationController
mapping.map = @map mapping.map = @map
mapping.mappable = Synapse.find(synapse_id) mapping.mappable = Synapse.find(synapse_id)
@map.synapsemappings << mapping @map.synapsemappings << mapping
authorize! mapping, :create authorize mapping, :create
mapping.save mapping.save
end end
end end
@ -161,7 +153,7 @@ class MapsController < ApplicationController
@map.arranged = true @map.arranged = true
end end
authorize! @map authorize @map
if @map.save if @map.save
respond_to do |format| respond_to do |format|
@ -177,12 +169,10 @@ class MapsController < ApplicationController
# PUT maps/:id # PUT maps/:id
def update def update
@map = Map.find(params[:id]) @map = Map.find(params[:id])
authorize! @map authorize @map
respond_to do |format| respond_to do |format|
if !@map if @map.update_attributes(map_params)
format.json { render json: "unauthorized" }
elsif @map.update_attributes(map_params)
format.json { head :no_content } format.json { head :no_content }
else else
format.json { render json: @map.errors, status: :unprocessable_entity } format.json { render json: @map.errors, status: :unprocessable_entity }
@ -193,7 +183,7 @@ class MapsController < ApplicationController
# POST maps/:id/upload_screenshot # POST maps/:id/upload_screenshot
def screenshot def screenshot
@map = Map.find(params[:id]) @map = Map.find(params[:id])
authorize! @map authorize @map
png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1]) png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1])
StringIO.open(png) do |data| StringIO.open(png) do |data|
@ -213,7 +203,7 @@ class MapsController < ApplicationController
# DELETE maps/:id # DELETE maps/:id
def destroy def destroy
@map = Map.find(params[:id]) @map = Map.find(params[:id])
authorize! @map authorize @map
@map.delete @map.delete
@ -228,6 +218,6 @@ class MapsController < ApplicationController
# Never trust parameters from the scary internet, only allow the white list through. # Never trust parameters from the scary internet, only allow the white list through.
def map_params def map_params
params.require(:map).permit(:id, :name, :arranged, :desc, :permission, :user_id) params.require(:map).permit(:id, :name, :arranged, :desc, :permission)
end end
end end

View file

@ -79,35 +79,6 @@ class Map < ActiveRecord::Base
json json
end end
##### PERMISSIONS ######
def authorize_to_delete(user)
if (self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'show' Topic, Synapse, or Map
def authorize_to_show(user)
if (self.permission == "private" && self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
def authorize_to_edit(user)
if !user
return false
elsif (self.permission == "private" && self.user != user)
return false
elsif (self.permission == "public" && self.user != user)
return false
end
return self
end
def decode_base64(imgBase64) def decode_base64(imgBase64)
decoded_data = Base64.decode64(imgBase64) decoded_data = Base64.decode64(imgBase64)

View file

@ -34,30 +34,4 @@ class Synapse < ActiveRecord::Base
end end
# :nocov: # :nocov:
##### PERMISSIONS ######
# returns false if user not allowed to 'show' Topic, Synapse, or Map
def authorize_to_show(user)
if (self.permission == "private" && self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
def authorize_to_edit(user)
if (self.permission == "private" && self.user != user)
return false
elsif (self.permission == "public" && self.user != user)
return false
end
return self
end
def authorize_to_delete(user)
if (self.user == user || user.admin)
return self
end
return false
end
end end

View file

@ -87,31 +87,4 @@ class Topic < ActiveRecord::Base
end end
result result
end end
##### PERMISSIONS ######
# returns false if user not allowed to 'show' Topic, Synapse, or Map
def authorize_to_show(user)
if (self.permission == "private" && self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
def authorize_to_edit(user)
if (self.permission == "private" && self.user != user)
return false
elsif (self.permission == "public" && self.user != user)
return false
end
return self
end
def authorize_to_delete(user)
if (self.user == user || user.admin)
return self
end
return false
end
end end

View file

@ -39,7 +39,7 @@ class ApplicationPolicy
# explicitly say they want to (E.g. seeing/editing/deleting private # explicitly say they want to (E.g. seeing/editing/deleting private
# maps - they should be able to, but not by accident) # maps - they should be able to, but not by accident)
def admin_override def admin_override
user.admin user && user.admin
end end
def scope def scope

View file

@ -1,7 +1,7 @@
class MapPolicy < ApplicationPolicy class MapPolicy < ApplicationPolicy
class Scope < Scope class Scope < Scope
def resolve def resolve
scope.where('permission IN ("public", "commons") OR user_id = ?', user.id) scope.where('maps.permission IN (?) OR maps.user_id = ?', ["public", "commons"], user.id)
end end
end end

View file

@ -5,7 +5,7 @@ class MappingPolicy < ApplicationPolicy
# it would be nice if we could also base this on the mappable, but that # it would be nice if we could also base this on the mappable, but that
# gets really complicated. Devin thinks it's OK to SHOW a mapping for # gets really complicated. Devin thinks it's OK to SHOW a mapping for
# a private topic, since you can't see the private topic anyways # a private topic, since you can't see the private topic anyways
scope.joins(:maps).where('maps.permission IN ("public", "commons") OR user_id = ?', user.id) scope.joins(:maps).where('maps.permission IN ("public", "commons") OR maps.user_id = ?', user.id)
end end
end end