From c4890274f22c7a495d19433c2872c656d09eae91 Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Wed, 23 Mar 2016 16:29:26 -0700 Subject: [PATCH] switch messages to use pundit --- app/controllers/messages_controller.rb | 9 +++++-- app/models/message.rb | 35 ------------------------- app/policies/message_policy.rb | 36 ++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 37 deletions(-) create mode 100644 app/policies/message_policy.rb diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index e47f9e38..386919f3 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -1,10 +1,12 @@ class MessagesController < ApplicationController - before_filter :require_user, except: [:show] + before_action :require_user, except: [:show] + after_action :verify_authorized # GET /messages/1.json def show @message = Message.find(params[:id]) + authorize @message respond_to do |format| format.json { render json: @message } @@ -15,8 +17,8 @@ class MessagesController < ApplicationController # POST /messages.json def create @message = Message.new(message_params) - @message.user = current_user + authorize @message respond_to do |format| if @message.save @@ -31,6 +33,7 @@ class MessagesController < ApplicationController # PUT /messages/1.json def update @message = Message.find(params[:id]) + authorize @message respond_to do |format| if @message.update_attributes(message_params) @@ -45,6 +48,8 @@ class MessagesController < ApplicationController # DELETE /messages/1.json def destroy @message = Message.find(params[:id]) + authorize @message + @message.destroy respond_to do |format| diff --git a/app/models/message.rb b/app/models/message.rb index ca9d8553..0481192f 100644 --- a/app/models/message.rb +++ b/app/models/message.rb @@ -16,39 +16,4 @@ class Message < ActiveRecord::Base json end - ##### PERMISSIONS ###### - - def authorize_to_delete(user) - if (self.user != user) - return false - end - return self - end - - # returns false if user not allowed to 'show' Topic, Synapse, or Map - def authorize_to_show(user) - if (self.resource && self.resource.permission == "private" && self.resource.user != user) - return false - end - return self - end - - # returns false if user not allowed to 'edit' Topic, Synapse, or Map - def authorize_to_edit(user) - if !user - return false - elsif (self.user != user) - return false - end - return self - end - - # returns Boolean if user allowed to view Topic, Synapse, or Map - def authorize_to_view(user) - if (self.resource && self.resource.permission == "private" && self.resource.user != user) - return false - end - return true - end - end diff --git a/app/policies/message_policy.rb b/app/policies/message_policy.rb new file mode 100644 index 00000000..af2efb0c --- /dev/null +++ b/app/policies/message_policy.rb @@ -0,0 +1,36 @@ +class MessagePolicy < ApplicationPolicy + class Scope < Scope + def resolve + visible = ['public', 'commons'] + permission = 'maps.permission IN (?)' + if user + scope.joins(:maps).where(permission + ' OR maps.user_id = ?', visible, user.id) + else + scope.where(permission, visible) + end + end + end + + def show? + resource_policy.show? + end + + def create? + record.resource.present? && resource_policy.update? + end + + def update? + record.user == user + end + + def destroy? + record.user == user || admin_override + end + + # Helpers + + def resource_policy + @resource_policy ||= Pundit.policy(user, record.resource) + end + +end