From d8c328468ed318f38b93f39112276935343fe7c9 Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Sat, 12 Mar 2016 09:37:32 +1100 Subject: [PATCH 1/9] changess for pundit --- app/controllers/application_controller.rb | 1 + app/controllers/main_controller.rb | 4 +-- app/controllers/maps_controller.rb | 36 ++++++++--------------- app/models/map.rb | 29 ------------------ app/models/synapse.rb | 26 ---------------- app/models/topic.rb | 27 ----------------- app/policies/application_policy.rb | 2 +- app/policies/map_policy.rb | 2 +- app/policies/mapping_policy.rb | 2 +- 9 files changed, 19 insertions(+), 110 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 6d10c553..d030c6e6 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,5 +1,6 @@ class ApplicationController < ActionController::Base include Pundit + include PunditExtra rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized protect_from_forgery diff --git a/app/controllers/main_controller.rb b/app/controllers/main_controller.rb index 29c11777..efebdce7 100644 --- a/app/controllers/main_controller.rb +++ b/app/controllers/main_controller.rb @@ -4,8 +4,8 @@ class MainController < ApplicationController include UsersHelper include SynapsesHelper - after_action :verify_authorized, except: :index - after_action :verify_policy_scoped, only: :index +# after_action :verify_authorized, except: :index +# after_action :verify_policy_scoped, only: :index respond_to :html, :json diff --git a/app/controllers/maps_controller.rb b/app/controllers/maps_controller.rb index 016ba7b5..83f7cb89 100644 --- a/app/controllers/maps_controller.rb +++ b/app/controllers/maps_controller.rb @@ -1,7 +1,7 @@ class MapsController < ApplicationController before_action :require_user, only: [:create, :update, :screenshot, :destroy] - after_action :verify_authorized, except: :activemaps, :featuredmaps, :mymaps, :usermaps - after_action :verify_policy_scoped, only: :activemaps, :featuredmaps, :mymaps, :usermaps + after_action :verify_authorized, except: [:activemaps, :featuredmaps, :mymaps, :usermaps] + after_action :verify_policy_scoped, only: [:activemaps, :featuredmaps, :mymaps, :usermaps] respond_to :html, :json @@ -67,11 +67,7 @@ class MapsController < ApplicationController # GET maps/:id def show @map = Map.find(params[:id]) - authorize! @map - - if not @map - redirect_to root_url, notice: "Access denied. That map is private." and return - end + authorize @map respond_to do |format| format.html { @@ -85,18 +81,14 @@ class MapsController < ApplicationController respond_with(@allmappers, @allmappings, @allsynapses, @alltopics, @map) } - format.json { render json: @map } + format.json { render json: @map.as_json } end end # GET maps/:id/contains def contains @map = Map.find(params[:id]) - authorize! @map - - if not @map - redirect_to root_url, notice: "Access denied. That map is private." and return - end + authorize @map @allmappers = @map.contributors @alltopics = @map.topics.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) } @@ -139,7 +131,7 @@ class MapsController < ApplicationController mapping.xloc = topic[1] mapping.yloc = topic[2] @map.topicmappings << mapping - authorize! mapping, :create + authorize mapping, :create mapping.save end @@ -152,7 +144,7 @@ class MapsController < ApplicationController mapping.map = @map mapping.mappable = Synapse.find(synapse_id) @map.synapsemappings << mapping - authorize! mapping, :create + authorize mapping, :create mapping.save end end @@ -160,7 +152,7 @@ class MapsController < ApplicationController @map.arranged = true end - authorize! @map + authorize @map if @map.save respond_to do |format| @@ -176,12 +168,10 @@ class MapsController < ApplicationController # PUT maps/:id def update @map = Map.find(params[:id]) - authorize! @map + authorize @map respond_to do |format| - if !@map - format.json { render json: "unauthorized" } - elsif @map.update_attributes(map_params) + if @map.update_attributes(map_params) format.json { head :no_content } else format.json { render json: @map.errors, status: :unprocessable_entity } @@ -192,7 +182,7 @@ class MapsController < ApplicationController # POST maps/:id/upload_screenshot def screenshot @map = Map.find(params[:id]) - authorize! @map + authorize @map png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1]) StringIO.open(png) do |data| @@ -212,7 +202,7 @@ class MapsController < ApplicationController # DELETE maps/:id def destroy @map = Map.find(params[:id]) - authorize! @map + authorize @map @map.delete @@ -227,6 +217,6 @@ class MapsController < ApplicationController # Never trust parameters from the scary internet, only allow the white list through. def map_params - params.require(:map).permit(:id, :name, :arranged, :desc, :permission, :user_id) + params.require(:map).permit(:id, :name, :arranged, :desc, :permission) end end diff --git a/app/models/map.rb b/app/models/map.rb index 6c2caca2..87c8d641 100644 --- a/app/models/map.rb +++ b/app/models/map.rb @@ -78,36 +78,7 @@ class Map < ActiveRecord::Base json[:updated_at_clean] = updated_at_str json end - - ##### PERMISSIONS ###### - def authorize_to_delete(user) - if (self.user != user) - return false - end - return self - end - - # returns false if user not allowed to 'show' Topic, Synapse, or Map - def authorize_to_show(user) - if (self.permission == "private" && self.user != user) - return false - end - return self - end - - # returns false if user not allowed to 'edit' Topic, Synapse, or Map - def authorize_to_edit(user) - if !user - return false - elsif (self.permission == "private" && self.user != user) - return false - elsif (self.permission == "public" && self.user != user) - return false - end - return self - end - def decode_base64(imgBase64) decoded_data = Base64.decode64(imgBase64) diff --git a/app/models/synapse.rb b/app/models/synapse.rb index ea5889cc..beda8976 100644 --- a/app/models/synapse.rb +++ b/app/models/synapse.rb @@ -32,30 +32,4 @@ class Synapse < ActiveRecord::Base end # :nocov: - ##### PERMISSIONS ###### - - # returns false if user not allowed to 'show' Topic, Synapse, or Map - def authorize_to_show(user) - if (self.permission == "private" && self.user != user) - return false - end - return self - end - - # returns false if user not allowed to 'edit' Topic, Synapse, or Map - def authorize_to_edit(user) - if (self.permission == "private" && self.user != user) - return false - elsif (self.permission == "public" && self.user != user) - return false - end - return self - end - - def authorize_to_delete(user) - if (self.user == user || user.admin) - return self - end - return false - end end diff --git a/app/models/topic.rb b/app/models/topic.rb index c528aa6e..0039040e 100644 --- a/app/models/topic.rb +++ b/app/models/topic.rb @@ -87,31 +87,4 @@ class Topic < ActiveRecord::Base end result end - - ##### PERMISSIONS ###### - - # returns false if user not allowed to 'show' Topic, Synapse, or Map - def authorize_to_show(user) - if (self.permission == "private" && self.user != user) - return false - end - return self - end - - # returns false if user not allowed to 'edit' Topic, Synapse, or Map - def authorize_to_edit(user) - if (self.permission == "private" && self.user != user) - return false - elsif (self.permission == "public" && self.user != user) - return false - end - return self - end - - def authorize_to_delete(user) - if (self.user == user || user.admin) - return self - end - return false - end end diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb index 6bd56c64..39b7a961 100644 --- a/app/policies/application_policy.rb +++ b/app/policies/application_policy.rb @@ -39,7 +39,7 @@ class ApplicationPolicy # explicitly say they want to (E.g. seeing/editing/deleting private # maps - they should be able to, but not by accident) def admin_override - user.admin + user && user.admin end def scope diff --git a/app/policies/map_policy.rb b/app/policies/map_policy.rb index 671eea83..5e845d44 100644 --- a/app/policies/map_policy.rb +++ b/app/policies/map_policy.rb @@ -1,7 +1,7 @@ class MapPolicy < ApplicationPolicy class Scope < Scope def resolve - scope.where('permission IN ("public", "commons") OR user_id = ?', user.id) + scope.where('maps.permission IN (?) OR maps.user_id = ?', ["public", "commons"], user.id) end end diff --git a/app/policies/mapping_policy.rb b/app/policies/mapping_policy.rb index 44e7bfd7..49e134ef 100644 --- a/app/policies/mapping_policy.rb +++ b/app/policies/mapping_policy.rb @@ -5,7 +5,7 @@ class MappingPolicy < ApplicationPolicy # it would be nice if we could also base this on the mappable, but that # gets really complicated. Devin thinks it's OK to SHOW a mapping for # a private topic, since you can't see the private topic anyways - scope.joins(:maps).where('maps.permission IN ("public", "commons") OR user_id = ?', user.id) + scope.joins(:maps).where('maps.permission IN ("public", "commons") OR maps.user_id = ?', user.id) end end From 2d53922f1c4173131f5131ae9687f99b7dd4f988 Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Sat, 12 Mar 2016 09:54:23 +1100 Subject: [PATCH 2/9] can load maps --- app/views/layouts/application.html.erb | 2 +- app/views/maps/_mapinfobox.html.erb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index c09d227e..0480cb39 100644 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -81,7 +81,7 @@ classes += controller_name == "maps" && action_name == "index" ? " explorePage" : "" if controller_name == "maps" && action_name == "show" classes += " mapPage" - if @map.authorize_to_edit(current_user) + if policy(@map).update? classes += " canEditMap" end if @map.permission == "commons" diff --git a/app/views/maps/_mapinfobox.html.erb b/app/views/maps/_mapinfobox.html.erb index 1fa6da02..ff90532c 100644 --- a/app/views/maps/_mapinfobox.html.erb +++ b/app/views/maps/_mapinfobox.html.erb @@ -4,7 +4,7 @@ #%>
- <%= @map && @map.authorize_to_edit(user) ? " canEdit" : "" %> + <%= @map && policy(@map).update? ? " canEdit" : "" %> <%= @map && @map.permission != 'private' ? " shareable" : "" %>"> <% if @map %> @@ -41,7 +41,7 @@
- <% if (authenticated? && @map.authorize_to_edit(user)) || (!authenticated? && @map.desc != "" && @map.desc != nil )%> + <% if (authenticated? && policy(@map).update?) || (!authenticated? && @map.desc != "" && @map.desc != nil )%> <%= best_in_place @map, :desc, :activator => "#mapInfoDesc", :as => :textarea, :placeholder => "Click to add description...", :class => 'best_in_place_desc' %> <% end %>
From 5f3f5212c5890a14d665c0709f33cfbed988d04b Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Sat, 12 Mar 2016 10:06:00 +1100 Subject: [PATCH 3/9] pundit: syntax error --- app/controllers/topics_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb index 125005f9..e9239bac 100644 --- a/app/controllers/topics_controller.rb +++ b/app/controllers/topics_controller.rb @@ -24,7 +24,7 @@ class TopicsController < ApplicationController respond_to do |format| format.html { - @alltopics = ([@topic] + policy_scope(@topic.relatives) + @alltopics = ([@topic] + policy_scope(@topic.relatives)) @allsynapses = policy_scope(@topic.synapses) @allcreators = @alltopics.map(&:user).uniq From bd3afff06911576214ff2465bfb02e9e66c05810 Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Sat, 12 Mar 2016 10:10:31 +1100 Subject: [PATCH 4/9] pundit: fix queries --- app/policies/mapping_policy.rb | 3 ++- app/policies/synapse_policy.rb | 2 +- app/policies/topic_policy.rb | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/app/policies/mapping_policy.rb b/app/policies/mapping_policy.rb index 49e134ef..39dbd86a 100644 --- a/app/policies/mapping_policy.rb +++ b/app/policies/mapping_policy.rb @@ -5,7 +5,8 @@ class MappingPolicy < ApplicationPolicy # it would be nice if we could also base this on the mappable, but that # gets really complicated. Devin thinks it's OK to SHOW a mapping for # a private topic, since you can't see the private topic anyways - scope.joins(:maps).where('maps.permission IN ("public", "commons") OR maps.user_id = ?', user.id) + scope.joins(:maps).where('maps.permission IN (?) OR maps.user_id = ?', + ["public", "commons"], user.id) end end diff --git a/app/policies/synapse_policy.rb b/app/policies/synapse_policy.rb index 6763014a..12f9c8ca 100644 --- a/app/policies/synapse_policy.rb +++ b/app/policies/synapse_policy.rb @@ -1,7 +1,7 @@ class SynapsePolicy < ApplicationPolicy class Scope < Scope def resolve - scope.where('permission IN ("public", "commons") OR user_id = ?', user.id) + scope.where('permission IN (?) OR user_id = ?', ["public", "commons"], user.id) end end diff --git a/app/policies/topic_policy.rb b/app/policies/topic_policy.rb index 03b42895..97fefdcc 100644 --- a/app/policies/topic_policy.rb +++ b/app/policies/topic_policy.rb @@ -1,7 +1,7 @@ class TopicPolicy < ApplicationPolicy class Scope < Scope def resolve - scope.where('permission IN ("public", "commons") OR user_id = ?', user.id) + scope.where('permission IN (?) OR user_id = ?', ["public", "commons"], user.id) end end From 1cf3182e7555cdb9c75253e1ca54fecbe47f1517 Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Sat, 12 Mar 2016 10:13:22 +1100 Subject: [PATCH 5/9] pundit: exclude topic action --- app/controllers/topics_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb index e9239bac..0d58d912 100644 --- a/app/controllers/topics_controller.rb +++ b/app/controllers/topics_controller.rb @@ -2,7 +2,7 @@ class TopicsController < ApplicationController include TopicsHelper before_action :require_user, only: [:create, :update, :destroy] - after_action :verify_authorized + after_action :verify_authorized, except: :autocomplete_topic respond_to :html, :js, :json From dc6ccd20223709c087d7ef6784772cfd597ee381 Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Sat, 12 Mar 2016 11:10:30 +1100 Subject: [PATCH 6/9] pundit: fixing up topics and synapses --- app/controllers/synapses_controller.rb | 8 ++++---- app/controllers/topics_controller.rb | 16 ++++++++-------- app/models/synapse.rb | 4 ++++ app/models/topic.rb | 7 +++++++ app/policies/synapse_policy.rb | 2 +- app/policies/topic_policy.rb | 2 +- 6 files changed, 25 insertions(+), 14 deletions(-) diff --git a/app/controllers/synapses_controller.rb b/app/controllers/synapses_controller.rb index f242ad38..4440872f 100644 --- a/app/controllers/synapses_controller.rb +++ b/app/controllers/synapses_controller.rb @@ -10,7 +10,7 @@ class SynapsesController < ApplicationController # GET /synapses/1.json def show @synapse = Synapse.find(params[:id]) - authorize! @synapse + authorize @synapse render json: @synapse end @@ -20,7 +20,7 @@ class SynapsesController < ApplicationController def create @synapse = Synapse.new(synapse_params) @synapse.desc = "" if @synapse.desc.nil? - authorize! @synapse + authorize @synapse respond_to do |format| if @synapse.save @@ -36,7 +36,7 @@ class SynapsesController < ApplicationController def update @synapse = Synapse.find(params[:id]) @synapse.desc = "" if @synapse.desc.nil? - authorize! @synapse + authorize @synapse respond_to do |format| if @synapse.update_attributes(synapse_params) @@ -50,7 +50,7 @@ class SynapsesController < ApplicationController # DELETE synapses/:id def destroy @synapse = Synapse.find(params[:id]) - authorize! @synapse + authorize @synapse @synapse.delete respond_to do |format| diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb index 0d58d912..1b1e9b3c 100644 --- a/app/controllers/topics_controller.rb +++ b/app/controllers/topics_controller.rb @@ -20,12 +20,12 @@ class TopicsController < ApplicationController # GET topics/:id def show @topic = Topic.find(params[:id]) - authorize! @topic + authorize @topic respond_to do |format| format.html { - @alltopics = ([@topic] + policy_scope(@topic.relatives)) - @allsynapses = policy_scope(@topic.synapses) + @alltopics = ([@topic] + policy_scope(Topic.relatives(@topic.id))) + @allsynapses = policy_scope(Synapse.for_topic(@topic.id)) @allcreators = @alltopics.map(&:user).uniq @allcreators += @allsynapses.map(&:user).uniq @@ -39,7 +39,7 @@ class TopicsController < ApplicationController # GET topics/:id/network def network @topic = Topic.find(params[:id]) - authorize! @topic + authorize @topic @alltopics = [@topic] + policy_scope(@topic.relatives) @allsynapses = policy_scope(@topic.synapses) @@ -83,7 +83,7 @@ class TopicsController < ApplicationController # GET topics/:id/relatives def relatives @topic = Topic.find(params[:id]) - authorize! @topic + authorize @topic topicsAlreadyHas = params[:network] ? params[:network].split(',').map(&:to_i) : [] @@ -117,7 +117,7 @@ class TopicsController < ApplicationController # POST /topics.json def create @topic = Topic.new(topic_params) - authorize! @topic + authorize @topic respond_to do |format| if @topic.save @@ -132,7 +132,7 @@ class TopicsController < ApplicationController # PUT /topics/1.json def update @topic = Topic.find(params[:id]) - authorize! @topic + authorize @topic respond_to do |format| if @topic.update_attributes(topic_params) @@ -146,7 +146,7 @@ class TopicsController < ApplicationController # DELETE topics/:id def destroy @topic = Topic.find(params[:id]) - authorize! @topic + authorize @topic @topic.delete respond_to do |format| diff --git a/app/models/synapse.rb b/app/models/synapse.rb index beda8976..4807d7ab 100644 --- a/app/models/synapse.rb +++ b/app/models/synapse.rb @@ -14,6 +14,10 @@ class Synapse < ActiveRecord::Base validates :category, inclusion: { in: ['from-to', 'both'], allow_nil: true } + scope :for_topic, ->(topic_id = nil) { + where("node1_id = ? OR node2_id = ?", topic_id, topic_id) + } + # :nocov: def user_name user.name diff --git a/app/models/topic.rb b/app/models/topic.rb index 0039040e..0f312823 100644 --- a/app/models/topic.rb +++ b/app/models/topic.rb @@ -41,6 +41,13 @@ class Topic < ActiveRecord::Base belongs_to :metacode + scope :relatives, ->(topic_id = nil) { + includes(:synapses1) + .includes(:synapses2) + .where('synapses.node1_id = ? OR synapses.node2_id = ?', topic_id, topic_id) + .references(:synapses) + } + def user_name user.name end diff --git a/app/policies/synapse_policy.rb b/app/policies/synapse_policy.rb index 12f9c8ca..85de12da 100644 --- a/app/policies/synapse_policy.rb +++ b/app/policies/synapse_policy.rb @@ -1,7 +1,7 @@ class SynapsePolicy < ApplicationPolicy class Scope < Scope def resolve - scope.where('permission IN (?) OR user_id = ?', ["public", "commons"], user.id) + scope.where('synapses.permission IN (?) OR synapses.user_id = ?', ["public", "commons"], user.id) end end diff --git a/app/policies/topic_policy.rb b/app/policies/topic_policy.rb index 97fefdcc..43d4ec98 100644 --- a/app/policies/topic_policy.rb +++ b/app/policies/topic_policy.rb @@ -1,7 +1,7 @@ class TopicPolicy < ApplicationPolicy class Scope < Scope def resolve - scope.where('permission IN (?) OR user_id = ?', ["public", "commons"], user.id) + scope.where('topics.permission IN (?) OR topics.user_id = ?', ["public", "commons"], user.id) end end From d0aecc0b31cf94217a8930ef3f6839af1f3cc836 Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Sat, 12 Mar 2016 11:16:46 +1100 Subject: [PATCH 7/9] pundit: make it work --- app/controllers/mappings_controller.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/app/controllers/mappings_controller.rb b/app/controllers/mappings_controller.rb index ea2aaf0e..cba1cb3f 100644 --- a/app/controllers/mappings_controller.rb +++ b/app/controllers/mappings_controller.rb @@ -8,7 +8,7 @@ class MappingsController < ApplicationController # GET /mappings/1.json def show @mapping = Mapping.find(params[:id]) - authorize! @mapping + authorize @mapping render json: @mapping end @@ -16,8 +16,8 @@ class MappingsController < ApplicationController # POST /mappings.json def create @mapping = Mapping.new(mapping_params) - authorize! @mapping - + authorize @mapping + @mapping.user = current_user if @mapping.save render json: @mapping, status: :created else @@ -28,7 +28,7 @@ class MappingsController < ApplicationController # PUT /mappings/1.json def update @mapping = Mapping.find(params[:id]) - authorize! @mapping + authorize @mapping if @mapping.update_attributes(mapping_params) head :no_content @@ -40,7 +40,7 @@ class MappingsController < ApplicationController # DELETE /mappings/1.json def destroy @mapping = Mapping.find(params[:id]) - authorize! @mapping + authorize @mapping @mapping.destroy @@ -50,6 +50,6 @@ class MappingsController < ApplicationController private # Never trust parameters from the scary internet, only allow the white list through. def mapping_params - params.require(:mapping).permit(:id, :xloc, :yloc, :mappable_id, :mappable_type, :map_id, :user_id) + params.require(:mapping).permit(:id, :xloc, :yloc, :mappable_id, :mappable_type, :map_id) end end From 5d179ae5ec822b635804642dd3443d9768f5ea95 Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Sat, 12 Mar 2016 11:24:49 +1100 Subject: [PATCH 8/9] pundit: policy didn't exist --- app/policies/mapping_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/policies/mapping_policy.rb b/app/policies/mapping_policy.rb index 39dbd86a..13ef033e 100644 --- a/app/policies/mapping_policy.rb +++ b/app/policies/mapping_policy.rb @@ -18,7 +18,7 @@ class MappingPolicy < ApplicationPolicy def create? map = policy(record.map, user) - map.edit? + map.update? end def update? From bc505a13610b0a12a55c85ed0852c1448def7141 Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Sat, 12 Mar 2016 11:35:03 +1100 Subject: [PATCH 9/9] pundit: now updating maps actually works --- app/policies/map_policy.rb | 1 - app/policies/mapping_policy.rb | 10 ++++------ app/policies/synapse_policy.rb | 1 + 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/app/policies/map_policy.rb b/app/policies/map_policy.rb index 5e845d44..50123877 100644 --- a/app/policies/map_policy.rb +++ b/app/policies/map_policy.rb @@ -35,7 +35,6 @@ class MapPolicy < ApplicationPolicy def update? user.present? && (record.permission == 'commons' || record.user == user) - true end def screenshot? diff --git a/app/policies/mapping_policy.rb b/app/policies/mapping_policy.rb index 13ef033e..787b5794 100644 --- a/app/policies/mapping_policy.rb +++ b/app/policies/mapping_policy.rb @@ -11,19 +11,17 @@ class MappingPolicy < ApplicationPolicy end def show? - map = policy(record.map, user) - mappable = policy(record.mappable, user) + map = Pundit.policy(user, record.map) + mappable = Pundit.policy(user, record.mappable) map.show? && mappable.show? end def create? - map = policy(record.map, user) - map.update? + Pundit.policy(user, record.map).update? end def update? - map = policy(record.map, user) - map.update? + Pundit.policy(user, record.map).update? end def destroy? diff --git a/app/policies/synapse_policy.rb b/app/policies/synapse_policy.rb index 85de12da..e8d49548 100644 --- a/app/policies/synapse_policy.rb +++ b/app/policies/synapse_policy.rb @@ -7,6 +7,7 @@ class SynapsePolicy < ApplicationPolicy def create? user.present? + # todo add validation against whether you can see both topics end def show?