implement five policies into their controllers

This commit is contained in:
Devin Howard 2016-03-11 22:10:31 +08:00
parent 7395811ba5
commit eb56755068
5 changed files with 142 additions and 174 deletions

View file

@ -4,6 +4,9 @@ class MainController < ApplicationController
include UsersHelper include UsersHelper
include SynapsesHelper include SynapsesHelper
after_action :verify_authorized, except: :index
after_action :verify_policy_scoped, only: :index
respond_to :html, :json respond_to :html, :json
# home page # home page

View file

@ -1,12 +1,14 @@
class MappingsController < ApplicationController class MappingsController < ApplicationController
before_action :require_user, only: [:create, :update, :destroy] before_action :require_user, only: [:create, :update, :destroy]
after_action :verify_authorized, except: :index
after_action :verify_policy_scoped, only: :index
respond_to :json respond_to :json
# GET /mappings/1.json # GET /mappings/1.json
def show def show
@mapping = Mapping.find(params[:id]) @mapping = Mapping.find(params[:id])
authorize! @mapping
render json: @mapping render json: @mapping
end end
@ -14,6 +16,7 @@ class MappingsController < ApplicationController
# POST /mappings.json # POST /mappings.json
def create def create
@mapping = Mapping.new(mapping_params) @mapping = Mapping.new(mapping_params)
authorize! @mapping
if @mapping.save if @mapping.save
render json: @mapping, status: :created render json: @mapping, status: :created
@ -25,6 +28,7 @@ class MappingsController < ApplicationController
# PUT /mappings/1.json # PUT /mappings/1.json
def update def update
@mapping = Mapping.find(params[:id]) @mapping = Mapping.find(params[:id])
authorize! @mapping
if @mapping.update_attributes(mapping_params) if @mapping.update_attributes(mapping_params)
head :no_content head :no_content
@ -36,7 +40,7 @@ class MappingsController < ApplicationController
# DELETE /mappings/1.json # DELETE /mappings/1.json
def destroy def destroy
@mapping = Mapping.find(params[:id]) @mapping = Mapping.find(params[:id])
@map = @mapping.map authorize! @mapping
@mapping.destroy @mapping.destroy

View file

@ -1,5 +1,7 @@
class MapsController < ApplicationController class MapsController < ApplicationController
before_action :require_user, only: [:create, :update, :screenshot, :destroy] before_action :require_user, only: [:create, :update, :screenshot, :destroy]
after_action :verify_authorized, except: :activemaps, :featuredmaps, :mymaps, :usermaps
after_action :verify_policy_scoped, only: :activemaps, :featuredmaps, :mymaps, :usermaps
respond_to :html, :json respond_to :html, :json
@ -8,7 +10,8 @@ class MapsController < ApplicationController
# GET /explore/active # GET /explore/active
def activemaps def activemaps
page = params[:page].present? ? params[:page] : 1 page = params[:page].present? ? params[:page] : 1
@maps = Map.where("maps.permission != ?", "private").order("updated_at DESC").page(page).per(20) @maps = policy_scope(Map).order("updated_at DESC")
.page(page).per(20)
# root url => main/home. main/home renders maps/activemaps view. # root url => main/home. main/home renders maps/activemaps view.
redirect_to root_url and return if authenticated? redirect_to root_url and return if authenticated?
@ -22,8 +25,10 @@ class MapsController < ApplicationController
# GET /explore/featured # GET /explore/featured
def featuredmaps def featuredmaps
page = params[:page].present? ? params[:page] : 1 page = params[:page].present? ? params[:page] : 1
@maps = Map.where("maps.featured = ? AND maps.permission != ?", true, "private") @maps = policy_scope(
.order("updated_at DESC").page(page).per(20) Map.where("maps.featured = ? AND maps.permission != ?",
true, "private")
).order("updated_at DESC").page(page).per(20)
respond_to do |format| respond_to do |format|
format.html { respond_with(@maps, @user) } format.html { respond_with(@maps, @user) }
@ -36,8 +41,9 @@ class MapsController < ApplicationController
return redirect_to activemaps_url if !authenticated? return redirect_to activemaps_url if !authenticated?
page = params[:page].present? ? params[:page] : 1 page = params[:page].present? ? params[:page] : 1
# don't need to exclude private maps because they all belong to you @maps = policy_scope(
@maps = Map.where("maps.user_id = ?", current_user.id).order("updated_at DESC").page(page).per(20) Map.where("maps.user_id = ?", current_user.id)
).order("updated_at DESC").page(page).per(20)
respond_to do |format| respond_to do |format|
format.html { respond_with(@maps, @user) } format.html { respond_with(@maps, @user) }
@ -49,7 +55,8 @@ class MapsController < ApplicationController
def usermaps def usermaps
page = params[:page].present? ? params[:page] : 1 page = params[:page].present? ? params[:page] : 1
@user = User.find(params[:id]) @user = User.find(params[:id])
@maps = Map.where("maps.user_id = ? AND maps.permission != ?", @user.id, "private").order("updated_at DESC").page(page).per(20) @maps = policy_scope(Map.where(user: @user))
.order("updated_at DESC").page(page).per(20)
respond_to do |format| respond_to do |format|
format.html { respond_with(@maps, @user) } format.html { respond_with(@maps, @user) }
@ -59,7 +66,8 @@ class MapsController < ApplicationController
# GET maps/:id # GET maps/:id
def show def show
@map = Map.find(params[:id]).authorize_to_show(current_user) @map = Map.find(params[:id])
authorize! @map
if not @map if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return redirect_to root_url, notice: "Access denied. That map is private." and return
@ -83,7 +91,8 @@ class MapsController < ApplicationController
# GET maps/:id/contains # GET maps/:id/contains
def contains def contains
@map = Map.find(params[:id]).authorize_to_show(current_user) @map = Map.find(params[:id])
authorize! @map
if not @map if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return redirect_to root_url, notice: "Access denied. That map is private." and return
@ -130,6 +139,7 @@ class MapsController < ApplicationController
mapping.xloc = topic[1] mapping.xloc = topic[1]
mapping.yloc = topic[2] mapping.yloc = topic[2]
@map.topicmappings << mapping @map.topicmappings << mapping
authorize! mapping, :create
mapping.save mapping.save
end end
@ -142,6 +152,7 @@ class MapsController < ApplicationController
mapping.map = @map mapping.map = @map
mapping.mappable = Synapse.find(synapse_id) mapping.mappable = Synapse.find(synapse_id)
@map.synapsemappings << mapping @map.synapsemappings << mapping
authorize! mapping, :create
mapping.save mapping.save
end end
end end
@ -149,6 +160,8 @@ class MapsController < ApplicationController
@map.arranged = true @map.arranged = true
end end
authorize! @map
if @map.save if @map.save
respond_to do |format| respond_to do |format|
format.json { render :json => @map } format.json { render :json => @map }
@ -162,7 +175,8 @@ class MapsController < ApplicationController
# PUT maps/:id # PUT maps/:id
def update def update
@map = Map.find(params[:id]).authorize_to_edit(current_user) @map = Map.find(params[:id])
authorize! @map
respond_to do |format| respond_to do |format|
if !@map if !@map
@ -177,9 +191,9 @@ class MapsController < ApplicationController
# POST maps/:id/upload_screenshot # POST maps/:id/upload_screenshot
def screenshot def screenshot
@map = Map.find(params[:id]).authorize_to_edit(current_user) @map = Map.find(params[:id])
authorize! @map
if @map
png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1]) png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1])
StringIO.open(png) do |data| StringIO.open(png) do |data|
data.class.class_eval { attr_accessor :original_filename, :content_type } data.class.class_eval { attr_accessor :original_filename, :content_type }
@ -193,25 +207,19 @@ class MapsController < ApplicationController
else else
render :json => {:message => "Failed to upload image."} render :json => {:message => "Failed to upload image."}
end end
else
render :json => {:message => "Unauthorized to set map screenshot."}
end
end end
# DELETE maps/:id # DELETE maps/:id
def destroy def destroy
@map = Map.find(params[:id]).authorize_to_delete(current_user) @map = Map.find(params[:id])
authorize! @map
@map.delete if @map @map.delete
respond_to do |format| respond_to do |format|
format.json { format.json do
if @map head :no_content
render json: "success"
else
render json: "unauthorized"
end end
}
end end
end end

View file

@ -2,18 +2,15 @@ class SynapsesController < ApplicationController
include TopicsHelper include TopicsHelper
before_action :require_user, only: [:create, :update, :destroy] before_action :require_user, only: [:create, :update, :destroy]
after_action :verify_authorized, except: :index
after_action :verify_policy_scoped, only: :index
respond_to :json respond_to :json
# GET /synapses/1.json # GET /synapses/1.json
def show def show
@synapse = Synapse.find(params[:id]) @synapse = Synapse.find(params[:id])
authorize! @synapse
#.authorize_to_show(current_user)
#if not @synapse
# redirect_to root_url and return
#end
render json: @synapse render json: @synapse
end end
@ -23,6 +20,7 @@ class SynapsesController < ApplicationController
def create def create
@synapse = Synapse.new(synapse_params) @synapse = Synapse.new(synapse_params)
@synapse.desc = "" if @synapse.desc.nil? @synapse.desc = "" if @synapse.desc.nil?
authorize! @synapse
respond_to do |format| respond_to do |format|
if @synapse.save if @synapse.save
@ -38,6 +36,7 @@ class SynapsesController < ApplicationController
def update def update
@synapse = Synapse.find(params[:id]) @synapse = Synapse.find(params[:id])
@synapse.desc = "" if @synapse.desc.nil? @synapse.desc = "" if @synapse.desc.nil?
authorize! @synapse
respond_to do |format| respond_to do |format|
if @synapse.update_attributes(synapse_params) if @synapse.update_attributes(synapse_params)
@ -50,8 +49,9 @@ class SynapsesController < ApplicationController
# DELETE synapses/:id # DELETE synapses/:id
def destroy def destroy
@synapse = Synapse.find(params[:id]).authorize_to_delete(current_user) @synapse = Synapse.find(params[:id])
@synapse.delete if @synapse authorize! @synapse
@synapse.delete
respond_to do |format| respond_to do |format|
format.json { head :no_content } format.json { head :no_content }

View file

@ -2,6 +2,7 @@ class TopicsController < ApplicationController
include TopicsHelper include TopicsHelper
before_action :require_user, only: [:create, :update, :destroy] before_action :require_user, only: [:create, :update, :destroy]
after_action :verify_authorized
respond_to :html, :js, :json respond_to :html, :js, :json
@ -9,12 +10,7 @@ class TopicsController < ApplicationController
def autocomplete_topic def autocomplete_topic
term = params[:term] term = params[:term]
if term && !term.empty? if term && !term.empty?
@topics = Topic.where('LOWER("name") like ?', term.downcase + '%').order('"name"') @topics = policy_scope(Topic.where('LOWER("name") like ?', term.downcase + '%')).order('"name"')
#read this next line as 'delete a topic if its private and you're either
#1. logged out or 2. logged in but not the topic creator
@topics.to_a.delete_if {|t| t.permission == "private" &&
(!authenticated? || (authenticated? && current_user.id != t.user_id)) }
else else
@topics = [] @topics = []
end end
@ -23,28 +19,16 @@ class TopicsController < ApplicationController
# GET topics/:id # GET topics/:id
def show def show
@topic = Topic.find(params[:id]).authorize_to_show(current_user) @topic = Topic.find(params[:id])
authorize! @topic
if not @topic
redirect_to root_url, notice: "Access denied. That topic is private." and return
end
respond_to do |format| respond_to do |format|
format.html { format.html {
@alltopics = ([@topic] + @topic.relatives).delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) } # should limit to topics visible to user @alltopics = ([@topic] + policy_scope(@topic.relatives)
@allsynapses = @topic.synapses.to_a.delete_if {|s| s.permission == "private" && (!authenticated? || (authenticated? && current_user.id != s.user_id)) } @allsynapses = policy_scope(@topic.synapses)
@allcreators = [] @allcreators = @alltopics.map(&:user).uniq
@alltopics.each do |t| @allcreators += @allsynapses.map(&:user).uniq
if @allcreators.index(t.user) == nil
@allcreators.push(t.user)
end
end
@allsynapses.each do |s|
if @allcreators.index(s.user) == nil
@allcreators.push(s.user)
end
end
respond_with(@allsynapses, @alltopics, @allcreators, @topic) respond_with(@allsynapses, @alltopics, @allcreators, @topic)
} }
@ -54,26 +38,14 @@ class TopicsController < ApplicationController
# GET topics/:id/network # GET topics/:id/network
def network def network
@topic = Topic.find(params[:id]).authorize_to_show(current_user) @topic = Topic.find(params[:id])
authorize! @topic
if not @topic @alltopics = [@topic] + policy_scope(@topic.relatives)
redirect_to root_url, notice: "Access denied. That topic is private." and return @allsynapses = policy_scope(@topic.synapses)
end
@alltopics = @topic.relatives.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) } @allcreators = @alltopics.map(&:user).uniq
@allsynapses = @topic.synapses.to_a.delete_if {|s| s.permission == "private" && (!authenticated? || (authenticated? && current_user.id != s.user_id)) } @allcreators += @allsynapses.map(&:user).uniq
@allcreators = []
@allcreators.push(@topic.user)
@alltopics.each do |t|
if @allcreators.index(t.user) == nil
@allcreators.push(t.user)
end
end
@allsynapses.each do |s|
if @allcreators.index(s.user) == nil
@allcreators.push(s.user)
end
end
@json = Hash.new() @json = Hash.new()
@json['topic'] = @topic @json['topic'] = @topic
@ -88,28 +60,19 @@ class TopicsController < ApplicationController
# GET topics/:id/relative_numbers # GET topics/:id/relative_numbers
def relative_numbers def relative_numbers
@topic = Topic.find(params[:id]).authorize_to_show(current_user) @topic = Topic.find(params[:id])
authorize @topic
if not @topic topicsAlreadyHas = params[:network] ? params[:network].split(',').map(&:to_i) : []
redirect_to root_url, notice: "Access denied. That topic is private." and return
@alltopics = policy_scope(@topic.relatives).to_a.uniq
@alltopics.delete_if! do |topic|
topicsAlreadyHas.index(topic.id) != nil
end end
@topicsAlreadyHas = params[:network] ? params[:network].split(',') : [] @json = Hash.new(0)
@alltopics = @topic.relatives.to_a.delete_if {|t|
@topicsAlreadyHas.index(t.id.to_s) != nil ||
(t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)))
}
@alltopics.uniq!
@json = Hash.new()
@alltopics.each do |t| @alltopics.each do |t|
if @json[t.metacode.id]
@json[t.metacode.id] += 1 @json[t.metacode.id] += 1
else
@json[t.metacode.id] = 1
end
end end
respond_to do |format| respond_to do |format|
@ -119,44 +82,31 @@ class TopicsController < ApplicationController
# GET topics/:id/relatives # GET topics/:id/relatives
def relatives def relatives
@topic = Topic.find(params[:id]).authorize_to_show(current_user) @topic = Topic.find(params[:id])
authorize! @topic
if not @topic topicsAlreadyHas = params[:network] ? params[:network].split(',').map(&:to_i) : []
redirect_to root_url, notice: "Access denied. That topic is private." and return
alltopics = policy_scope(@topic.relatives).to_a.uniq.delete_if do |topic|
topicsAlreadyHas.index(topic.id.to_s) != nil
end end
@topicsAlreadyHas = params[:network] ? params[:network].split(',') : [] #find synapses between topics in alltopics array
allsynapses = policy_scope(@topic.synapses)
@alltopics = @topic.relatives.to_a.delete_if {|t| synapse_ids = (allsynapses.map(&:topic1_id) + allsynapses.map(&:topic2_id)).uniq
@topicsAlreadyHas.index(t.id.to_s) != nil || allsynapses.delete_if! do |synapse|
(params[:metacode] && t.metacode_id.to_s != params[:metacode]) || synapse_ids.index(synapse.id) != nil
(t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)))
}
@alltopics.uniq!
@allsynapses = @topic.synapses.to_a.delete_if {|s|
(s.topic1 == @topic && @alltopics.index(s.topic2) == nil) ||
(s.topic2 == @topic && @alltopics.index(s.topic1) == nil)
}
@creatorsAlreadyHas = params[:creators] ? params[:creators].split(',') : []
@allcreators = []
@alltopics.each do |t|
if @allcreators.index(t.user) == nil && @creatorsAlreadyHas.index(t.user_id.to_s) == nil
@allcreators.push(t.user)
end
end
@allsynapses.each do |s|
if @allcreators.index(s.user) == nil && @creatorsAlreadyHas.index(s.user_id.to_s) == nil
@allcreators.push(s.user)
end end
creatorsAlreadyHas = params[:creators] ? params[:creators].split(',').map(&:to_i) : []
allcreators = (alltopics.map(&:user) + allsynapses.map(&:user)).uniq.delete_if do |user|
creatorsAlreadyHas.index(user.id) != nil
end end
@json = Hash.new() @json = Hash.new()
@json['topics'] = @alltopics @json['topics'] = alltopics
@json['synapses'] = @allsynapses @json['synapses'] = allsynapses
@json['creators'] = @allcreators @json['creators'] = allcreators
respond_to do |format| respond_to do |format|
format.json { render json: @json } format.json { render json: @json }
@ -167,6 +117,7 @@ class TopicsController < ApplicationController
# POST /topics.json # POST /topics.json
def create def create
@topic = Topic.new(topic_params) @topic = Topic.new(topic_params)
authorize! @topic
respond_to do |format| respond_to do |format|
if @topic.save if @topic.save
@ -181,6 +132,7 @@ class TopicsController < ApplicationController
# PUT /topics/1.json # PUT /topics/1.json
def update def update
@topic = Topic.find(params[:id]) @topic = Topic.find(params[:id])
authorize! @topic
respond_to do |format| respond_to do |format|
if @topic.update_attributes(topic_params) if @topic.update_attributes(topic_params)
@ -193,9 +145,10 @@ class TopicsController < ApplicationController
# DELETE topics/:id # DELETE topics/:id
def destroy def destroy
@topic = Topic.find(params[:id]).authorize_to_delete(current_user) @topic = Topic.find(params[:id])
@topic.delete if @topic authorize! @topic
@topic.delete
respond_to do |format| respond_to do |format|
format.json { head :no_content } format.json { head :no_content }
end end