glenux-contrib/metamaps--metamaps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

implement five policies into their controllers

Browse source
This commit is contained in:
Devin Howard 2016-03-11 22:10:31 +08:00
parent 7395811ba5
commit eb56755068
5 changed files with 142 additions and 174 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/controllers/main_controller.rb
View file

@ -4,6 +4,9 @@ class MainController < ApplicationController
include UsersHelper include UsersHelper
include SynapsesHelper include SynapsesHelper
after_action :verify_authorized, except: :index
after_action :verify_policy_scoped, only: :index
respond_to :html, :json respond_to :html, :json
# home page # home page

8
app/controllers/mappings_controller.rb
View file

@ -1,12 +1,14 @@
class MappingsController < ApplicationController class MappingsController < ApplicationController
before_action :require_user, only: [:create, :update, :destroy] before_action :require_user, only: [:create, :update, :destroy]
after_action :verify_authorized, except: :index
after_action :verify_policy_scoped, only: :index
respond_to :json respond_to :json
# GET /mappings/1.json # GET /mappings/1.json
def show def show
@mapping = Mapping.find(params[:id]) @mapping = Mapping.find(params[:id])
authorize! @mapping
render json: @mapping render json: @mapping
end end
@ -14,6 +16,7 @@ class MappingsController < ApplicationController
# POST /mappings.json # POST /mappings.json
def create def create
@mapping = Mapping.new(mapping_params) @mapping = Mapping.new(mapping_params)
authorize! @mapping
if @mapping.save if @mapping.save
render json: @mapping, status: :created render json: @mapping, status: :created
@ -25,6 +28,7 @@ class MappingsController < ApplicationController
# PUT /mappings/1.json # PUT /mappings/1.json
def update def update
@mapping = Mapping.find(params[:id]) @mapping = Mapping.find(params[:id])
authorize! @mapping
if @mapping.update_attributes(mapping_params) if @mapping.update_attributes(mapping_params)
head :no_content head :no_content
@ -36,7 +40,7 @@ class MappingsController < ApplicationController
# DELETE /mappings/1.json # DELETE /mappings/1.json
def destroy def destroy
@mapping = Mapping.find(params[:id]) @mapping = Mapping.find(params[:id])
@map = @mapping.map authorize! @mapping
@mapping.destroy @mapping.destroy

80
app/controllers/maps_controller.rb
View file

@ -1,5 +1,7 @@
class MapsController < ApplicationController class MapsController < ApplicationController
before_action :require_user, only: [:create, :update, :screenshot, :destroy] before_action :require_user, only: [:create, :update, :screenshot, :destroy]
after_action :verify_authorized, except: :activemaps, :featuredmaps, :mymaps, :usermaps
after_action :verify_policy_scoped, only: :activemaps, :featuredmaps, :mymaps, :usermaps
respond_to :html, :json respond_to :html, :json
@ -8,7 +10,8 @@ class MapsController < ApplicationController
# GET /explore/active # GET /explore/active
def activemaps def activemaps
page = params[:page].present? ? params[:page] : 1 page = params[:page].present? ? params[:page] : 1
@maps = Map.where("maps.permission != ?", "private").order("updated_at DESC").page(page).per(20) @maps = policy_scope(Map).order("updated_at DESC")
.page(page).per(20)
# root url => main/home. main/home renders maps/activemaps view. # root url => main/home. main/home renders maps/activemaps view.
redirect_to root_url and return if authenticated? redirect_to root_url and return if authenticated?
@ -22,8 +25,10 @@ class MapsController < ApplicationController
# GET /explore/featured # GET /explore/featured
def featuredmaps def featuredmaps
page = params[:page].present? ? params[:page] : 1 page = params[:page].present? ? params[:page] : 1
@maps = Map.where("maps.featured = ? AND maps.permission != ?", true, "private") @maps = policy_scope(
.order("updated_at DESC").page(page).per(20) Map.where("maps.featured = ? AND maps.permission != ?",
true, "private")
).order("updated_at DESC").page(page).per(20)
respond_to do |format| respond_to do |format|
format.html { respond_with(@maps, @user) } format.html { respond_with(@maps, @user) }
@ -36,8 +41,9 @@ class MapsController < ApplicationController
return redirect_to activemaps_url if !authenticated? return redirect_to activemaps_url if !authenticated?
page = params[:page].present? ? params[:page] : 1 page = params[:page].present? ? params[:page] : 1
# don't need to exclude private maps because they all belong to you @maps = policy_scope(
@maps = Map.where("maps.user_id = ?", current_user.id).order("updated_at DESC").page(page).per(20) Map.where("maps.user_id = ?", current_user.id)
).order("updated_at DESC").page(page).per(20)
respond_to do |format| respond_to do |format|
format.html { respond_with(@maps, @user) } format.html { respond_with(@maps, @user) }
@ -49,7 +55,8 @@ class MapsController < ApplicationController
def usermaps def usermaps
page = params[:page].present? ? params[:page] : 1 page = params[:page].present? ? params[:page] : 1
@user = User.find(params[:id]) @user = User.find(params[:id])
@maps = Map.where("maps.user_id = ? AND maps.permission != ?", @user.id, "private").order("updated_at DESC").page(page).per(20) @maps = policy_scope(Map.where(user: @user))
.order("updated_at DESC").page(page).per(20)
respond_to do |format| respond_to do |format|
format.html { respond_with(@maps, @user) } format.html { respond_with(@maps, @user) }
@ -59,7 +66,8 @@ class MapsController < ApplicationController
# GET maps/:id # GET maps/:id
def show def show
@map = Map.find(params[:id]).authorize_to_show(current_user) @map = Map.find(params[:id])
authorize! @map
if not @map if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return redirect_to root_url, notice: "Access denied. That map is private." and return
@ -83,7 +91,8 @@ class MapsController < ApplicationController
# GET maps/:id/contains # GET maps/:id/contains
def contains def contains
@map = Map.find(params[:id]).authorize_to_show(current_user) @map = Map.find(params[:id])
authorize! @map
if not @map if not @map
redirect_to root_url, notice: "Access denied. That map is private." and return redirect_to root_url, notice: "Access denied. That map is private." and return
@ -130,6 +139,7 @@ class MapsController < ApplicationController
mapping.xloc = topic[1] mapping.xloc = topic[1]
mapping.yloc = topic[2] mapping.yloc = topic[2]
@map.topicmappings << mapping @map.topicmappings << mapping
authorize! mapping, :create
mapping.save mapping.save
end end
@ -142,6 +152,7 @@ class MapsController < ApplicationController
mapping.map = @map mapping.map = @map
mapping.mappable = Synapse.find(synapse_id) mapping.mappable = Synapse.find(synapse_id)
@map.synapsemappings << mapping @map.synapsemappings << mapping
authorize! mapping, :create
mapping.save mapping.save
end end
end end
@ -149,6 +160,8 @@ class MapsController < ApplicationController
@map.arranged = true @map.arranged = true
end end
authorize! @map
if @map.save if @map.save
respond_to do |format| respond_to do |format|
format.json { render :json => @map } format.json { render :json => @map }
@ -162,7 +175,8 @@ class MapsController < ApplicationController
# PUT maps/:id # PUT maps/:id
def update def update
@map = Map.find(params[:id]).authorize_to_edit(current_user) @map = Map.find(params[:id])
authorize! @map
respond_to do |format| respond_to do |format|
if !@map if !@map
@ -177,42 +191,36 @@ class MapsController < ApplicationController
# POST maps/:id/upload_screenshot # POST maps/:id/upload_screenshot
def screenshot def screenshot
@map = Map.find(params[:id]).authorize_to_edit(current_user) @map = Map.find(params[:id])
authorize! @map
if @map png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1])
png = Base64.decode64(params[:encoded_image]['data:image/png;base64,'.length .. -1]) StringIO.open(png) do |data|
StringIO.open(png) do |data| data.class.class_eval { attr_accessor :original_filename, :content_type }
data.class.class_eval { attr_accessor :original_filename, :content_type } data.original_filename = "map-" + @map.id.to_s + "-screenshot.png"
data.original_filename = "map-" + @map.id.to_s + "-screenshot.png" data.content_type = "image/png"
data.content_type = "image/png" @map.screenshot = data
@map.screenshot = data end
end
if @map.save if @map.save
render :json => {:message => "Successfully uploaded the map screenshot."} render :json => {:message => "Successfully uploaded the map screenshot."}
else else
render :json => {:message => "Failed to upload image."} render :json => {:message => "Failed to upload image."}
end end
else
render :json => {:message => "Unauthorized to set map screenshot."}
end
end end
# DELETE maps/:id # DELETE maps/:id
def destroy def destroy
@map = Map.find(params[:id]).authorize_to_delete(current_user) @map = Map.find(params[:id])
authorize! @map
@map.delete if @map @map.delete
respond_to do |format| respond_to do |format|
format.json { format.json do
if @map head :no_content
render json: "success"
else
render json: "unauthorized"
end
}
end end
end
end end
private private

16
app/controllers/synapses_controller.rb
View file

@ -2,18 +2,15 @@ class SynapsesController < ApplicationController
include TopicsHelper include TopicsHelper
before_action :require_user, only: [:create, :update, :destroy] before_action :require_user, only: [:create, :update, :destroy]
after_action :verify_authorized, except: :index
after_action :verify_policy_scoped, only: :index
respond_to :json respond_to :json
# GET /synapses/1.json # GET /synapses/1.json
def show def show
@synapse = Synapse.find(params[:id]) @synapse = Synapse.find(params[:id])
authorize! @synapse
#.authorize_to_show(current_user)
#if not @synapse
# redirect_to root_url and return
#end
render json: @synapse render json: @synapse
end end
@ -23,6 +20,7 @@ class SynapsesController < ApplicationController
def create def create
@synapse = Synapse.new(synapse_params) @synapse = Synapse.new(synapse_params)
@synapse.desc = "" if @synapse.desc.nil? @synapse.desc = "" if @synapse.desc.nil?
authorize! @synapse
respond_to do |format| respond_to do |format|
if @synapse.save if @synapse.save
@ -38,6 +36,7 @@ class SynapsesController < ApplicationController
def update def update
@synapse = Synapse.find(params[:id]) @synapse = Synapse.find(params[:id])
@synapse.desc = "" if @synapse.desc.nil? @synapse.desc = "" if @synapse.desc.nil?
authorize! @synapse
respond_to do |format| respond_to do |format|
if @synapse.update_attributes(synapse_params) if @synapse.update_attributes(synapse_params)
@ -50,8 +49,9 @@ class SynapsesController < ApplicationController
# DELETE synapses/:id # DELETE synapses/:id
def destroy def destroy
@synapse = Synapse.find(params[:id]).authorize_to_delete(current_user) @synapse = Synapse.find(params[:id])
@synapse.delete if @synapse authorize! @synapse
@synapse.delete
respond_to do |format| respond_to do |format|
format.json { head :no_content } format.json { head :no_content }

205
app/controllers/topics_controller.rb
View file

@ -2,6 +2,7 @@ class TopicsController < ApplicationController
include TopicsHelper include TopicsHelper
before_action :require_user, only: [:create, :update, :destroy] before_action :require_user, only: [:create, :update, :destroy]
after_action :verify_authorized
respond_to :html, :js, :json respond_to :html, :js, :json
@ -9,12 +10,7 @@ class TopicsController < ApplicationController
def autocomplete_topic def autocomplete_topic
term = params[:term] term = params[:term]
if term && !term.empty? if term && !term.empty?
@topics = Topic.where('LOWER("name") like ?', term.downcase + '%').order('"name"') @topics = policy_scope(Topic.where('LOWER("name") like ?', term.downcase + '%')).order('"name"')
#read this next line as 'delete a topic if its private and you're either
#1. logged out or 2. logged in but not the topic creator
@topics.to_a.delete_if {|t| t.permission == "private" &&
(!authenticated? || (authenticated? && current_user.id != t.user_id)) }
else else
@topics = [] @topics = []
end end
@ -23,28 +19,16 @@ class TopicsController < ApplicationController
# GET topics/:id # GET topics/:id
def show def show
@topic = Topic.find(params[:id]).authorize_to_show(current_user) @topic = Topic.find(params[:id])
authorize! @topic
if not @topic
redirect_to root_url, notice: "Access denied. That topic is private." and return
end
respond_to do |format| respond_to do |format|
format.html { format.html {
@alltopics = ([@topic] + @topic.relatives).delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) } # should limit to topics visible to user @alltopics = ([@topic] + policy_scope(@topic.relatives)
@allsynapses = @topic.synapses.to_a.delete_if {|s| s.permission == "private" && (!authenticated? || (authenticated? && current_user.id != s.user_id)) } @allsynapses = policy_scope(@topic.synapses)
@allcreators = [] @allcreators = @alltopics.map(&:user).uniq
@alltopics.each do |t| @allcreators += @allsynapses.map(&:user).uniq
if @allcreators.index(t.user) == nil
@allcreators.push(t.user)
end
end
@allsynapses.each do |s|
if @allcreators.index(s.user) == nil
@allcreators.push(s.user)
end
end
respond_with(@allsynapses, @alltopics, @allcreators, @topic) respond_with(@allsynapses, @alltopics, @allcreators, @topic)
} }
@ -54,26 +38,14 @@ class TopicsController < ApplicationController
# GET topics/:id/network # GET topics/:id/network
def network def network
@topic = Topic.find(params[:id]).authorize_to_show(current_user) @topic = Topic.find(params[:id])
authorize! @topic
if not @topic @alltopics = [@topic] + policy_scope(@topic.relatives)
redirect_to root_url, notice: "Access denied. That topic is private." and return @allsynapses = policy_scope(@topic.synapses)
end
@alltopics = @topic.relatives.to_a.delete_if {|t| t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)) } @allcreators = @alltopics.map(&:user).uniq
@allsynapses = @topic.synapses.to_a.delete_if {|s| s.permission == "private" && (!authenticated? || (authenticated? && current_user.id != s.user_id)) } @allcreators += @allsynapses.map(&:user).uniq
@allcreators = []
@allcreators.push(@topic.user)
@alltopics.each do |t|
if @allcreators.index(t.user) == nil
@allcreators.push(t.user)
end
end
@allsynapses.each do |s|
if @allcreators.index(s.user) == nil
@allcreators.push(s.user)
end
end
@json = Hash.new() @json = Hash.new()
@json['topic'] = @topic @json['topic'] = @topic
@ -88,118 +60,99 @@ class TopicsController < ApplicationController
# GET topics/:id/relative_numbers # GET topics/:id/relative_numbers
def relative_numbers def relative_numbers
@topic = Topic.find(params[:id]).authorize_to_show(current_user) @topic = Topic.find(params[:id])
authorize @topic
if not @topic topicsAlreadyHas = params[:network] ? params[:network].split(',').map(&:to_i) : []
redirect_to root_url, notice: "Access denied. That topic is private." and return
@alltopics = policy_scope(@topic.relatives).to_a.uniq
@alltopics.delete_if! do |topic|
topicsAlreadyHas.index(topic.id) != nil
end end
@topicsAlreadyHas = params[:network] ? params[:network].split(',') : [] @json = Hash.new(0)
@alltopics = @topic.relatives.to_a.delete_if {|t|
@topicsAlreadyHas.index(t.id.to_s) != nil ||
(t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id)))
}
@alltopics.uniq!
@json = Hash.new()
@alltopics.each do |t| @alltopics.each do |t|
if @json[t.metacode.id] @json[t.metacode.id] += 1
@json[t.metacode.id] += 1
else
@json[t.metacode.id] = 1
end
end end
respond_to do |format| respond_to do |format|
format.json { render json: @json } format.json { render json: @json }
end end
end end
# GET topics/:id/relatives # GET topics/:id/relatives
def relatives def relatives
@topic = Topic.find(params[:id]).authorize_to_show(current_user) @topic = Topic.find(params[:id])
authorize! @topic
if not @topic topicsAlreadyHas = params[:network] ? params[:network].split(',').map(&:to_i) : []
redirect_to root_url, notice: "Access denied. That topic is private." and return
end
@topicsAlreadyHas = params[:network] ? params[:network].split(',') : [] alltopics = policy_scope(@topic.relatives).to_a.uniq.delete_if do |topic|
topicsAlreadyHas.index(topic.id.to_s) != nil
end
@alltopics = @topic.relatives.to_a.delete_if {|t| #find synapses between topics in alltopics array
@topicsAlreadyHas.index(t.id.to_s) != nil || allsynapses = policy_scope(@topic.synapses)
(params[:metacode] && t.metacode_id.to_s != params[:metacode]) || synapse_ids = (allsynapses.map(&:topic1_id) + allsynapses.map(&:topic2_id)).uniq
(t.permission == "private" && (!authenticated? || (authenticated? && current_user.id != t.user_id))) allsynapses.delete_if! do |synapse|
} synapse_ids.index(synapse.id) != nil
end
@alltopics.uniq! creatorsAlreadyHas = params[:creators] ? params[:creators].split(',').map(&:to_i) : []
allcreators = (alltopics.map(&:user) + allsynapses.map(&:user)).uniq.delete_if do |user|
creatorsAlreadyHas.index(user.id) != nil
end
@allsynapses = @topic.synapses.to_a.delete_if {|s| @json = Hash.new()
(s.topic1 == @topic && @alltopics.index(s.topic2) == nil) || @json['topics'] = alltopics
(s.topic2 == @topic && @alltopics.index(s.topic1) == nil) @json['synapses'] = allsynapses
} @json['creators'] = allcreators
@creatorsAlreadyHas = params[:creators] ? params[:creators].split(',') : [] respond_to do |format|
@allcreators = [] format.json { render json: @json }
@alltopics.each do |t| end
if @allcreators.index(t.user) == nil && @creatorsAlreadyHas.index(t.user_id.to_s) == nil
@allcreators.push(t.user)
end
end
@allsynapses.each do |s|
if @allcreators.index(s.user) == nil && @creatorsAlreadyHas.index(s.user_id.to_s) == nil
@allcreators.push(s.user)
end
end
@json = Hash.new()
@json['topics'] = @alltopics
@json['synapses'] = @allsynapses
@json['creators'] = @allcreators
respond_to do |format|
format.json { render json: @json }
end
end end
# POST /topics # POST /topics
# POST /topics.json # POST /topics.json
def create def create
@topic = Topic.new(topic_params) @topic = Topic.new(topic_params)
authorize! @topic
respond_to do |format| respond_to do |format|
if @topic.save if @topic.save
format.json { render json: @topic, status: :created } format.json { render json: @topic, status: :created }
else else
format.json { render json: @topic.errors, status: :unprocessable_entity } format.json { render json: @topic.errors, status: :unprocessable_entity }
end end
end
end end
end
# PUT /topics/1 # PUT /topics/1
# PUT /topics/1.json # PUT /topics/1.json
def update def update
@topic = Topic.find(params[:id]) @topic = Topic.find(params[:id])
authorize! @topic
respond_to do |format| respond_to do |format|
if @topic.update_attributes(topic_params) if @topic.update_attributes(topic_params)
format.json { head :no_content } format.json { head :no_content }
else else
format.json { render json: @topic.errors, status: :unprocessable_entity } format.json { render json: @topic.errors, status: :unprocessable_entity }
end end
end
end end
end
# DELETE topics/:id # DELETE topics/:id
def destroy def destroy
@topic = Topic.find(params[:id]).authorize_to_delete(current_user) @topic = Topic.find(params[:id])
@topic.delete if @topic authorize! @topic
respond_to do |format| @topic.delete
format.json { head :no_content } respond_to do |format|
end format.json { head :no_content }
end end
end
private private