changess for pundit
This commit is contained in:
parent
eb56755068
commit
d8c328468e
9 changed files with 19 additions and 110 deletions
|
@ -1,5 +1,6 @@
|
||||||
class ApplicationController < ActionController::Base
|
class ApplicationController < ActionController::Base
|
||||||
include Pundit
|
include Pundit
|
||||||
|
include PunditExtra
|
||||||
rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized
|
rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized
|
||||||
protect_from_forgery
|
protect_from_forgery
|
||||||
|
|
||||||
|
|
|
@ -4,8 +4,8 @@ class MainController < ApplicationController
|
||||||
include UsersHelper
|
include UsersHelper
|
||||||
include SynapsesHelper
|
include SynapsesHelper
|
||||||
|
|
||||||
after_action :verify_authorized, except: :index
|
# after_action :verify_authorized, except: :index
|
||||||
after_action :verify_policy_scoped, only: :index
|
# after_action :verify_policy_scoped, only: :index
|
||||||
|
|
||||||
respond_to :html, :json
|
respond_to :html, :json
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
class MapsController < ApplicationController
|
class MapsController < ApplicationController
|
||||||
before_action :require_user, only: [:create, :update, :screenshot, :destroy]
|
before_action :require_user, only: [:create, :update, :screenshot, :destroy]
|
||||||
after_action :verify_authorized, except: :activemaps, :featuredmaps, :mymaps, :usermaps
|
after_action :verify_authorized, except: [:activemaps, :featuredmaps, :mymaps, :usermaps]
|
||||||
after_action :verify_policy_scoped, only: :activemaps, :featuredmaps, :mymaps, :usermaps
|
after_action :verify_policy_scoped, only: [:activemaps, :featuredmaps, :mymaps, :usermaps]
|
||||||
|
|
||||||
respond_to :html, :json
|
respond_to :html, :json
|
||||||
|
|
||||||
|
@ -67,11 +67,7 @@ class MapsController < ApplicationController
|
||||||
# GET maps/:id
|
# GET maps/:id
|
||||||
def show
|
def show
|
||||||
@map = Map.find(params[:id])
|
@map = Map.find(params[:id])
|
||||||
authorize! @map
|
authorize @map
|
||||||
|
|
||||||
if not @map
|
|
||||||
redirect_to root_url, notice: "Access denied. That map is private." and return
|
|
||||||
end
|
|
||||||
|
|
||||||
respond_to do |format|
|
respond_to do |format|
|
||||||
format.html {
|
format.html {
|
||||||
|
@ -85,18 +81,14 @@ class MapsController < ApplicationController
|
||||||
|
|
||||||
respond_with(@allmappers, @allmappings, @allsynapses, @alltopics, @map)
|
respond_with(@allmappers, @allmappings, @allsynapses, @alltopics, @map)
|
||||||
}
|
}
|
||||||
format.json { render json: @map }
|
format.json { render json: @map.as_json }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# GET maps/:id/contains
|
# GET maps/:id/contains
|
||||||
def contains
|
def contains
|
||||||
@map = Map.find(params[:id])
|
@map = Map.find(params[:id])
|
||||||
authorize! @map
|
authorize @map
|
||||||
|
|
||||||
if not @map
|
|
||||||
redirect_to root_url, notice: "Access denied. That map is private." and return
|
|
||||||
end
|
|
||||||
|
|
||||||
@allmappers = @map.contributors
|
@allmappers = @map.contributors
|
||||||
@alltopics = @map.topics.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) }
|
@alltopics = @map.topics.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) }
|
||||||
|
@ -139,7 +131,7 @@ class MapsController < ApplicationController
|
||||||
mapping.xloc = topic[1]
|
mapping.xloc = topic[1]
|
||||||
mapping.yloc = topic[2]
|
mapping.yloc = topic[2]
|
||||||
@map.topicmappings << mapping
|
@map.topicmappings << mapping
|
||||||
authorize! mapping, :create
|
authorize mapping, :create
|
||||||
mapping.save
|
mapping.save
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -152,7 +144,7 @@ class MapsController < ApplicationController
|
||||||
mapping.map = @map
|
mapping.map = @map
|
||||||
mapping.mappable = Synapse.find(synapse_id)
|
mapping.mappable = Synapse.find(synapse_id)
|
||||||
@map.synapsemappings << mapping
|
@map.synapsemappings << mapping
|
||||||
authorize! mapping, :create
|
authorize mapping, :create
|
||||||
mapping.save
|
mapping.save
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -160,7 +152,7 @@ class MapsController < ApplicationController
|
||||||
@map.arranged = true
|
@map.arranged = true
|
||||||
end
|
end
|
||||||
|
|
||||||
authorize! @map
|
authorize @map
|
||||||
|
|
||||||
if @map.save
|
if @map.save
|
||||||
respond_to do |format|
|
respond_to do |format|
|
||||||
|
@ -176,12 +168,10 @@ class MapsController < ApplicationController
|
||||||
# PUT maps/:id
|
# PUT maps/:id
|
||||||
def update
|
def update
|
||||||
@map = Map.find(params[:id])
|
@map = Map.find(params[:id])
|
||||||
authorize! @map
|
authorize @map
|
||||||
|
|
||||||
respond_to do |format|
|
respond_to do |format|
|
||||||
if !@map
|
if @map.update_attributes(map_params)
|
||||||
format.json { render json: "unauthorized" }
|
|
||||||
elsif @map.update_attributes(map_params)
|
|
||||||
format.json { head :no_content }
|
format.json { head :no_content }
|
||||||
else
|
else
|
||||||
format.json { render json: @map.errors, status: :unprocessable_entity }
|
format.json { render json: @map.errors, status: :unprocessable_entity }
|
||||||
|
@ -192,7 +182,7 @@ class MapsController < ApplicationController
|
||||||
# POST maps/:id/upload_screenshot
|
# POST maps/:id/upload_screenshot
|
||||||
def screenshot
|
def screenshot
|
||||||
@map = Map.find(params[:id])
|
@map = Map.find(params[:id])
|
||||||
authorize! @map
|
authorize @map
|
||||||
|
|
||||||
png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1])
|
png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1])
|
||||||
StringIO.open(png) do |data|
|
StringIO.open(png) do |data|
|
||||||
|
@ -212,7 +202,7 @@ class MapsController < ApplicationController
|
||||||
# DELETE maps/:id
|
# DELETE maps/:id
|
||||||
def destroy
|
def destroy
|
||||||
@map = Map.find(params[:id])
|
@map = Map.find(params[:id])
|
||||||
authorize! @map
|
authorize @map
|
||||||
|
|
||||||
@map.delete
|
@map.delete
|
||||||
|
|
||||||
|
@ -227,6 +217,6 @@ class MapsController < ApplicationController
|
||||||
|
|
||||||
# Never trust parameters from the scary internet, only allow the white list through.
|
# Never trust parameters from the scary internet, only allow the white list through.
|
||||||
def map_params
|
def map_params
|
||||||
params.require(:map).permit(:id, :name, :arranged, :desc, :permission, :user_id)
|
params.require(:map).permit(:id, :name, :arranged, :desc, :permission)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -78,36 +78,7 @@ class Map < ActiveRecord::Base
|
||||||
json[:updated_at_clean] = updated_at_str
|
json[:updated_at_clean] = updated_at_str
|
||||||
json
|
json
|
||||||
end
|
end
|
||||||
|
|
||||||
##### PERMISSIONS ######
|
|
||||||
|
|
||||||
def authorize_to_delete(user)
|
|
||||||
if (self.user != user)
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
return self
|
|
||||||
end
|
|
||||||
|
|
||||||
# returns false if user not allowed to 'show' Topic, Synapse, or Map
|
|
||||||
def authorize_to_show(user)
|
|
||||||
if (self.permission == "private" && self.user != user)
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
return self
|
|
||||||
end
|
|
||||||
|
|
||||||
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
|
|
||||||
def authorize_to_edit(user)
|
|
||||||
if !user
|
|
||||||
return false
|
|
||||||
elsif (self.permission == "private" && self.user != user)
|
|
||||||
return false
|
|
||||||
elsif (self.permission == "public" && self.user != user)
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
return self
|
|
||||||
end
|
|
||||||
|
|
||||||
def decode_base64(imgBase64)
|
def decode_base64(imgBase64)
|
||||||
decoded_data = Base64.decode64(imgBase64)
|
decoded_data = Base64.decode64(imgBase64)
|
||||||
|
|
||||||
|
|
|
@ -32,30 +32,4 @@ class Synapse < ActiveRecord::Base
|
||||||
end
|
end
|
||||||
# :nocov:
|
# :nocov:
|
||||||
|
|
||||||
##### PERMISSIONS ######
|
|
||||||
|
|
||||||
# returns false if user not allowed to 'show' Topic, Synapse, or Map
|
|
||||||
def authorize_to_show(user)
|
|
||||||
if (self.permission == "private" && self.user != user)
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
return self
|
|
||||||
end
|
|
||||||
|
|
||||||
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
|
|
||||||
def authorize_to_edit(user)
|
|
||||||
if (self.permission == "private" && self.user != user)
|
|
||||||
return false
|
|
||||||
elsif (self.permission == "public" && self.user != user)
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
return self
|
|
||||||
end
|
|
||||||
|
|
||||||
def authorize_to_delete(user)
|
|
||||||
if (self.user == user || user.admin)
|
|
||||||
return self
|
|
||||||
end
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -87,31 +87,4 @@ class Topic < ActiveRecord::Base
|
||||||
end
|
end
|
||||||
result
|
result
|
||||||
end
|
end
|
||||||
|
|
||||||
##### PERMISSIONS ######
|
|
||||||
|
|
||||||
# returns false if user not allowed to 'show' Topic, Synapse, or Map
|
|
||||||
def authorize_to_show(user)
|
|
||||||
if (self.permission == "private" && self.user != user)
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
return self
|
|
||||||
end
|
|
||||||
|
|
||||||
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
|
|
||||||
def authorize_to_edit(user)
|
|
||||||
if (self.permission == "private" && self.user != user)
|
|
||||||
return false
|
|
||||||
elsif (self.permission == "public" && self.user != user)
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
return self
|
|
||||||
end
|
|
||||||
|
|
||||||
def authorize_to_delete(user)
|
|
||||||
if (self.user == user || user.admin)
|
|
||||||
return self
|
|
||||||
end
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -39,7 +39,7 @@ class ApplicationPolicy
|
||||||
# explicitly say they want to (E.g. seeing/editing/deleting private
|
# explicitly say they want to (E.g. seeing/editing/deleting private
|
||||||
# maps - they should be able to, but not by accident)
|
# maps - they should be able to, but not by accident)
|
||||||
def admin_override
|
def admin_override
|
||||||
user.admin
|
user && user.admin
|
||||||
end
|
end
|
||||||
|
|
||||||
def scope
|
def scope
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
class MapPolicy < ApplicationPolicy
|
class MapPolicy < ApplicationPolicy
|
||||||
class Scope < Scope
|
class Scope < Scope
|
||||||
def resolve
|
def resolve
|
||||||
scope.where('permission IN ("public", "commons") OR user_id = ?', user.id)
|
scope.where('maps.permission IN (?) OR maps.user_id = ?', ["public", "commons"], user.id)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@ class MappingPolicy < ApplicationPolicy
|
||||||
# it would be nice if we could also base this on the mappable, but that
|
# it would be nice if we could also base this on the mappable, but that
|
||||||
# gets really complicated. Devin thinks it's OK to SHOW a mapping for
|
# gets really complicated. Devin thinks it's OK to SHOW a mapping for
|
||||||
# a private topic, since you can't see the private topic anyways
|
# a private topic, since you can't see the private topic anyways
|
||||||
scope.joins(:maps).where('maps.permission IN ("public", "commons") OR user_id = ?', user.id)
|
scope.joins(:maps).where('maps.permission IN ("public", "commons") OR maps.user_id = ?', user.id)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue