multiple policy issues (#771)

* multiple policy errors

* make some things more explicit
This commit is contained in:
Connor Turland 2016-10-17 01:20:48 -04:00 committed by GitHub
parent 332bb2ec08
commit c0955d7c5e
5 changed files with 21 additions and 13 deletions

View file

@ -65,6 +65,11 @@ class User < ApplicationRecord
json
end
def all_accessible_maps
#TODO: is there a way to keep this an ActiveRecord relation?
maps + shared_maps
end
def recentMetacodes
array = []
self.topics.sort{|a,b| b.created_at <=> a.created_at }.each do |t|

View file

@ -8,11 +8,13 @@ class MappingPolicy < ApplicationPolicy
# a private topic, since you can't see the private topic anyways
visible = %w(public commons)
permission = 'maps.permission IN (?)'
if user
scope.joins(:map).where(permission, visible).or(scope.joins(:map).where(user_id: user.id))
else
return scope.joins(:map).where(permission, visible) unless user
# if this is getting changed, the policy_scope for messages should also be changed
# as it is based entirely on the map to which it belongs
scope.joins(:map).where(permission, visible)
end
.or(scope.joins(:map).where('maps.id IN (?)', user.shared_maps.map(&:id)))
.or(scope.joins(:map).where('maps.user_id = ?', user.id))
end
end

View file

@ -4,11 +4,13 @@ class MessagePolicy < ApplicationPolicy
def resolve
visible = %w(public commons)
permission = 'maps.permission IN (?)'
if user
scope.joins(:maps).where(permission + ' OR maps.user_id = ?', visible, user.id)
else
scope.where(permission, visible)
end
return scope.joins(:map).where(permission, visible) unless user
# if this is getting changed, the policy_scope for mappings should also be changed
# as it is based entirely on the map to which it belongs
scope.joins(:map).where(permission, visible)
.or(scope.joins(:map).where('maps.id IN (?)', user.shared_maps.map(&:id)))
.or(scope.joins(:map).where('maps.user_id = ?', user.id))
end
end

View file

@ -3,11 +3,10 @@ class SynapsePolicy < ApplicationPolicy
class Scope < Scope
def resolve
visible = %w(public commons)
return scope.where(permission: visible) unless user
scope.where(permission: visible)
.or(scope.where(defer_to_map_id: user.shared_maps.map(&:id)))
.or(scope.where.not(defer_to_map_id: nil).where(defer_to_map_id: user.all_accessible_maps.map(&:id)))
.or(scope.where(user_id: user.id))
end
end

View file

@ -6,7 +6,7 @@ class TopicPolicy < ApplicationPolicy
return scope.where(permission: visible) unless user
scope.where(permission: visible)
.or(scope.where(defer_to_map_id: user.shared_maps.map(&:id)))
.or(scope.where.not(defer_to_map_id: nil).where(defer_to_map_id: user.all_accessible_maps.map(&:id)))
.or(scope.where(user_id: user.id))
end
end