glenux-contrib/metamaps--metamaps
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

changess for pundit

Browse source
This commit is contained in:
Connor Turland 2016-03-12 09:37:32 +11:00
parent eb56755068
commit d8c328468e
9 changed files with 19 additions and 110 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/controllers/application_controller.rb
View file

@ -1,5 +1,6 @@
class ApplicationController < ActionController::Base
include Pundit
include PunditExtra
rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized
protect_from_forgery

4
app/controllers/main_controller.rb
View file

@ -4,8 +4,8 @@ class MainController < ApplicationController
include UsersHelper
include SynapsesHelper
after_action :verify_authorized, except: :index
after_action :verify_policy_scoped, only: :index
# after_action :verify_authorized, except: :index
# after_action :verify_policy_scoped, only: :index
respond_to :html, :json

36
app/controllers/maps_controller.rb
View file

@ -1,7 +1,7 @@
class MapsController < ApplicationController
before_action :require_user, only: [:create, :update, :screenshot, :destroy]
after_action :verify_authorized, except: :activemaps, :featuredmaps, :mymaps, :usermaps
after_action :verify_policy_scoped, only: :activemaps, :featuredmaps, :mymaps, :usermaps
after_action :verify_authorized, except: [:activemaps, :featuredmaps, :mymaps, :usermaps]
after_action :verify_policy_scoped, only: [:activemaps, :featuredmaps, :mymaps, :usermaps]
respond_to :html, :json
@ -67,11 +67,7 @@ class MapsController < ApplicationController
# GET maps/:id
def show
@map = Map.find(params[:id])
authorize! @map
if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return
end
authorize @map
respond_to do |format|
format.html {
@ -85,18 +81,14 @@ class MapsController < ApplicationController
respond_with(@allmappers, @allmappings, @allsynapses, @alltopics, @map)
}
format.json { render json: @map }
format.json { render json: @map.as_json }
end
end
# GET maps/:id/contains
def contains
@map = Map.find(params[:id])
authorize! @map
if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return
end
authorize @map
@allmappers = @map.contributors
@alltopics = @map.topics.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) }
@ -139,7 +131,7 @@ class MapsController < ApplicationController
mapping.xloc = topic[1]
mapping.yloc = topic[2]
@map.topicmappings << mapping
authorize! mapping, :create
authorize mapping, :create
mapping.save
end
@ -152,7 +144,7 @@ class MapsController < ApplicationController
mapping.map = @map
mapping.mappable = Synapse.find(synapse_id)
@map.synapsemappings << mapping
authorize! mapping, :create
authorize mapping, :create
mapping.save
end
end
@ -160,7 +152,7 @@ class MapsController < ApplicationController
@map.arranged = true
end
authorize! @map
authorize @map
if @map.save
respond_to do |format|
@ -176,12 +168,10 @@ class MapsController < ApplicationController
# PUT maps/:id
def update
@map = Map.find(params[:id])
authorize! @map
authorize @map
respond_to do |format|
if !@map
format.json { render json: "unauthorized" }
elsif @map.update_attributes(map_params)
if @map.update_attributes(map_params)
format.json { head :no_content }
else
format.json { render json: @map.errors, status: :unprocessable_entity }
@ -192,7 +182,7 @@ class MapsController < ApplicationController
# POST maps/:id/upload_screenshot
def screenshot
@map = Map.find(params[:id])
authorize! @map
authorize @map
png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1])
StringIO.open(png) do |data|
@ -212,7 +202,7 @@ class MapsController < ApplicationController
# DELETE maps/:id
def destroy
@map = Map.find(params[:id])
authorize! @map
authorize @map
@map.delete
@ -227,6 +217,6 @@ class MapsController < ApplicationController
# Never trust parameters from the scary internet, only allow the white list through.
def map_params
params.require(:map).permit(:id, :name, :arranged, :desc, :permission, :user_id)
params.require(:map).permit(:id, :name, :arranged, :desc, :permission)
end
end

29
app/models/map.rb
View file

@ -78,36 +78,7 @@ class Map < ActiveRecord::Base
json[:updated_at_clean] = updated_at_str
json
end
##### PERMISSIONS ######
def authorize_to_delete(user)
if (self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'show' Topic, Synapse, or Map
def authorize_to_show(user)
if (self.permission == "private" && self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
def authorize_to_edit(user)
if !user
return false
elsif (self.permission == "private" && self.user != user)
return false
elsif (self.permission == "public" && self.user != user)
return false
end
return self
end
def decode_base64(imgBase64)
decoded_data = Base64.decode64(imgBase64)

26
app/models/synapse.rb
View file

@ -32,30 +32,4 @@ class Synapse < ActiveRecord::Base
end
# :nocov:
##### PERMISSIONS ######
# returns false if user not allowed to 'show' Topic, Synapse, or Map
def authorize_to_show(user)
if (self.permission == "private" && self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
def authorize_to_edit(user)
if (self.permission == "private" && self.user != user)
return false
elsif (self.permission == "public" && self.user != user)
return false
end
return self
end
def authorize_to_delete(user)
if (self.user == user || user.admin)
return self
end
return false
end
end

27
app/models/topic.rb
View file

@ -87,31 +87,4 @@ class Topic < ActiveRecord::Base
end
result
end
##### PERMISSIONS ######
# returns false if user not allowed to 'show' Topic, Synapse, or Map
def authorize_to_show(user)
if (self.permission == "private" && self.user != user)
return false
end
return self
end
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
def authorize_to_edit(user)
if (self.permission == "private" && self.user != user)
return false
elsif (self.permission == "public" && self.user != user)
return false
end
return self
end
def authorize_to_delete(user)
if (self.user == user || user.admin)
return self
end
return false
end
end

2
app/policies/application_policy.rb
View file

@ -39,7 +39,7 @@ class ApplicationPolicy
# explicitly say they want to (E.g. seeing/editing/deleting private
# maps - they should be able to, but not by accident)
def admin_override
user.admin
user && user.admin
end
def scope

2
app/policies/map_policy.rb
View file

@ -1,7 +1,7 @@
class MapPolicy < ApplicationPolicy
class Scope < Scope
def resolve
scope.where('permission IN ("public", "commons") OR user_id = ?', user.id)
scope.where('maps.permission IN (?) OR maps.user_id = ?', ["public", "commons"], user.id)
end
end

2
app/policies/mapping_policy.rb
View file

@ -5,7 +5,7 @@ class MappingPolicy < ApplicationPolicy
# it would be nice if we could also base this on the mappable, but that
# gets really complicated. Devin thinks it's OK to SHOW a mapping for
# a private topic, since you can't see the private topic anyways
scope.joins(:maps).where('maps.permission IN ("public", "commons") OR user_id = ?', user.id)
scope.joins(:maps).where('maps.permission IN ("public", "commons") OR maps.user_id = ?', user.id)
end
end