changess for pundit
This commit is contained in:
parent
eb56755068
commit
d8c328468e
9 changed files with 19 additions and 110 deletions
|
@ -1,5 +1,6 @@
|
|||
class ApplicationController < ActionController::Base
|
||||
include Pundit
|
||||
include PunditExtra
|
||||
rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized
|
||||
protect_from_forgery
|
||||
|
||||
|
|
|
@ -4,8 +4,8 @@ class MainController < ApplicationController
|
|||
include UsersHelper
|
||||
include SynapsesHelper
|
||||
|
||||
after_action :verify_authorized, except: :index
|
||||
after_action :verify_policy_scoped, only: :index
|
||||
# after_action :verify_authorized, except: :index
|
||||
# after_action :verify_policy_scoped, only: :index
|
||||
|
||||
respond_to :html, :json
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
class MapsController < ApplicationController
|
||||
before_action :require_user, only: [:create, :update, :screenshot, :destroy]
|
||||
after_action :verify_authorized, except: :activemaps, :featuredmaps, :mymaps, :usermaps
|
||||
after_action :verify_policy_scoped, only: :activemaps, :featuredmaps, :mymaps, :usermaps
|
||||
after_action :verify_authorized, except: [:activemaps, :featuredmaps, :mymaps, :usermaps]
|
||||
after_action :verify_policy_scoped, only: [:activemaps, :featuredmaps, :mymaps, :usermaps]
|
||||
|
||||
respond_to :html, :json
|
||||
|
||||
|
@ -67,11 +67,7 @@ class MapsController < ApplicationController
|
|||
# GET maps/:id
|
||||
def show
|
||||
@map = Map.find(params[:id])
|
||||
authorize! @map
|
||||
|
||||
if not @map
|
||||
redirect_to root_url, notice: "Access denied. That map is private." and return
|
||||
end
|
||||
authorize @map
|
||||
|
||||
respond_to do |format|
|
||||
format.html {
|
||||
|
@ -85,18 +81,14 @@ class MapsController < ApplicationController
|
|||
|
||||
respond_with(@allmappers, @allmappings, @allsynapses, @alltopics, @map)
|
||||
}
|
||||
format.json { render json: @map }
|
||||
format.json { render json: @map.as_json }
|
||||
end
|
||||
end
|
||||
|
||||
# GET maps/:id/contains
|
||||
def contains
|
||||
@map = Map.find(params[:id])
|
||||
authorize! @map
|
||||
|
||||
if not @map
|
||||
redirect_to root_url, notice: "Access denied. That map is private." and return
|
||||
end
|
||||
authorize @map
|
||||
|
||||
@allmappers = @map.contributors
|
||||
@alltopics = @map.topics.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) }
|
||||
|
@ -139,7 +131,7 @@ class MapsController < ApplicationController
|
|||
mapping.xloc = topic[1]
|
||||
mapping.yloc = topic[2]
|
||||
@map.topicmappings << mapping
|
||||
authorize! mapping, :create
|
||||
authorize mapping, :create
|
||||
mapping.save
|
||||
end
|
||||
|
||||
|
@ -152,7 +144,7 @@ class MapsController < ApplicationController
|
|||
mapping.map = @map
|
||||
mapping.mappable = Synapse.find(synapse_id)
|
||||
@map.synapsemappings << mapping
|
||||
authorize! mapping, :create
|
||||
authorize mapping, :create
|
||||
mapping.save
|
||||
end
|
||||
end
|
||||
|
@ -160,7 +152,7 @@ class MapsController < ApplicationController
|
|||
@map.arranged = true
|
||||
end
|
||||
|
||||
authorize! @map
|
||||
authorize @map
|
||||
|
||||
if @map.save
|
||||
respond_to do |format|
|
||||
|
@ -176,12 +168,10 @@ class MapsController < ApplicationController
|
|||
# PUT maps/:id
|
||||
def update
|
||||
@map = Map.find(params[:id])
|
||||
authorize! @map
|
||||
authorize @map
|
||||
|
||||
respond_to do |format|
|
||||
if !@map
|
||||
format.json { render json: "unauthorized" }
|
||||
elsif @map.update_attributes(map_params)
|
||||
if @map.update_attributes(map_params)
|
||||
format.json { head :no_content }
|
||||
else
|
||||
format.json { render json: @map.errors, status: :unprocessable_entity }
|
||||
|
@ -192,7 +182,7 @@ class MapsController < ApplicationController
|
|||
# POST maps/:id/upload_screenshot
|
||||
def screenshot
|
||||
@map = Map.find(params[:id])
|
||||
authorize! @map
|
||||
authorize @map
|
||||
|
||||
png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1])
|
||||
StringIO.open(png) do |data|
|
||||
|
@ -212,7 +202,7 @@ class MapsController < ApplicationController
|
|||
# DELETE maps/:id
|
||||
def destroy
|
||||
@map = Map.find(params[:id])
|
||||
authorize! @map
|
||||
authorize @map
|
||||
|
||||
@map.delete
|
||||
|
||||
|
@ -227,6 +217,6 @@ class MapsController < ApplicationController
|
|||
|
||||
# Never trust parameters from the scary internet, only allow the white list through.
|
||||
def map_params
|
||||
params.require(:map).permit(:id, :name, :arranged, :desc, :permission, :user_id)
|
||||
params.require(:map).permit(:id, :name, :arranged, :desc, :permission)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -79,35 +79,6 @@ class Map < ActiveRecord::Base
|
|||
json
|
||||
end
|
||||
|
||||
##### PERMISSIONS ######
|
||||
|
||||
def authorize_to_delete(user)
|
||||
if (self.user != user)
|
||||
return false
|
||||
end
|
||||
return self
|
||||
end
|
||||
|
||||
# returns false if user not allowed to 'show' Topic, Synapse, or Map
|
||||
def authorize_to_show(user)
|
||||
if (self.permission == "private" && self.user != user)
|
||||
return false
|
||||
end
|
||||
return self
|
||||
end
|
||||
|
||||
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
|
||||
def authorize_to_edit(user)
|
||||
if !user
|
||||
return false
|
||||
elsif (self.permission == "private" && self.user != user)
|
||||
return false
|
||||
elsif (self.permission == "public" && self.user != user)
|
||||
return false
|
||||
end
|
||||
return self
|
||||
end
|
||||
|
||||
def decode_base64(imgBase64)
|
||||
decoded_data = Base64.decode64(imgBase64)
|
||||
|
||||
|
|
|
@ -32,30 +32,4 @@ class Synapse < ActiveRecord::Base
|
|||
end
|
||||
# :nocov:
|
||||
|
||||
##### PERMISSIONS ######
|
||||
|
||||
# returns false if user not allowed to 'show' Topic, Synapse, or Map
|
||||
def authorize_to_show(user)
|
||||
if (self.permission == "private" && self.user != user)
|
||||
return false
|
||||
end
|
||||
return self
|
||||
end
|
||||
|
||||
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
|
||||
def authorize_to_edit(user)
|
||||
if (self.permission == "private" && self.user != user)
|
||||
return false
|
||||
elsif (self.permission == "public" && self.user != user)
|
||||
return false
|
||||
end
|
||||
return self
|
||||
end
|
||||
|
||||
def authorize_to_delete(user)
|
||||
if (self.user == user || user.admin)
|
||||
return self
|
||||
end
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
|
|
@ -87,31 +87,4 @@ class Topic < ActiveRecord::Base
|
|||
end
|
||||
result
|
||||
end
|
||||
|
||||
##### PERMISSIONS ######
|
||||
|
||||
# returns false if user not allowed to 'show' Topic, Synapse, or Map
|
||||
def authorize_to_show(user)
|
||||
if (self.permission == "private" && self.user != user)
|
||||
return false
|
||||
end
|
||||
return self
|
||||
end
|
||||
|
||||
# returns false if user not allowed to 'edit' Topic, Synapse, or Map
|
||||
def authorize_to_edit(user)
|
||||
if (self.permission == "private" && self.user != user)
|
||||
return false
|
||||
elsif (self.permission == "public" && self.user != user)
|
||||
return false
|
||||
end
|
||||
return self
|
||||
end
|
||||
|
||||
def authorize_to_delete(user)
|
||||
if (self.user == user || user.admin)
|
||||
return self
|
||||
end
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
|
|
@ -39,7 +39,7 @@ class ApplicationPolicy
|
|||
# explicitly say they want to (E.g. seeing/editing/deleting private
|
||||
# maps - they should be able to, but not by accident)
|
||||
def admin_override
|
||||
user.admin
|
||||
user && user.admin
|
||||
end
|
||||
|
||||
def scope
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
class MapPolicy < ApplicationPolicy
|
||||
class Scope < Scope
|
||||
def resolve
|
||||
scope.where('permission IN ("public", "commons") OR user_id = ?', user.id)
|
||||
scope.where('maps.permission IN (?) OR maps.user_id = ?', ["public", "commons"], user.id)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ class MappingPolicy < ApplicationPolicy
|
|||
# it would be nice if we could also base this on the mappable, but that
|
||||
# gets really complicated. Devin thinks it's OK to SHOW a mapping for
|
||||
# a private topic, since you can't see the private topic anyways
|
||||
scope.joins(:maps).where('maps.permission IN ("public", "commons") OR user_id = ?', user.id)
|
||||
scope.joins(:maps).where('maps.permission IN ("public", "commons") OR maps.user_id = ?', user.id)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in a new issue