switch messages to use pundit

2016-03-23 16:29:26 -07:00 · 2016-03-23 16:29:26 -07:00 · c4890274f2
commit c4890274f2
parent baa5439f0f
3 changed files with 43 additions and 37 deletions
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@ -1,10 +1,12 @@
 class MessagesController < ApplicationController

-  before_filter :require_user, except: [:show]
+  before_action :require_user, except: [:show]
+  after_action :verify_authorized

  # GET /messages/1.json
  def show
    @message = Message.find(params[:id])
+    authorize @message

    respond_to do |format|
      format.json { render json: @message }
@ -15,8 +17,8 @@ class MessagesController < ApplicationController
  # POST /messages.json
  def create
    @message = Message.new(message_params)
-
    @message.user = current_user
+    authorize @message

    respond_to do |format|
      if @message.save
@ -31,6 +33,7 @@ class MessagesController < ApplicationController
  # PUT /messages/1.json
  def update
    @message = Message.find(params[:id])
+    authorize @message

    respond_to do |format|
      if @message.update_attributes(message_params)
@ -45,6 +48,8 @@ class MessagesController < ApplicationController
  # DELETE /messages/1.json
  def destroy
    @message = Message.find(params[:id])
+    authorize @message
+
    @message.destroy

    respond_to do |format|
--- a/app/models/message.rb
+++ b/app/models/message.rb
@ -16,39 +16,4 @@ class Message < ActiveRecord::Base
    json
  end

-  ##### PERMISSIONS ######
-  
-  def authorize_to_delete(user)
-    if (self.user != user)
-      return false
-    end
-    return self
-  end
-
-  # returns false if user not allowed to 'show' Topic, Synapse, or Map
-  def authorize_to_show(user)
-    if (self.resource && self.resource.permission == "private" && self.resource.user != user)
-  		return false
-  	end
-  	return self
-  end
-  
-  # returns false if user not allowed to 'edit' Topic, Synapse, or Map
-  def authorize_to_edit(user)  
-  	if !user
-      return false
-    elsif (self.user != user)
-  		return false
-  	end
-  	return self
-  end
-  
-  # returns Boolean if user allowed to view Topic, Synapse, or Map
-  def authorize_to_view(user)  
-  	if (self.resource && self.resource.permission == "private" && self.resource.user != user)
-  		return false
-  	end
-  	return true
-  end
-
 end
--- a/app/policies/message_policy.rb
+++ b/app/policies/message_policy.rb
@ -0,0 +1,36 @@
+class MessagePolicy < ApplicationPolicy
+  class Scope < Scope
+    def resolve
+      visible = ['public', 'commons']
+      permission = 'maps.permission IN (?)'
+      if user
+        scope.joins(:maps).where(permission + ' OR maps.user_id = ?', visible, user.id)
+      else
+        scope.where(permission, visible)
+      end 
+    end
+  end
+
+  def show?
+    resource_policy.show?
+  end
+
+  def create?
+    record.resource.present? && resource_policy.update?
+  end
+
+  def update?
+    record.user == user
+  end
+
+  def destroy?
+    record.user == user || admin_override
+  end
+
+  # Helpers
+
+  def resource_policy
+    @resource_policy ||= Pundit.policy(user, record.resource)
+  end
+
+end