Adding collection and bookmark policies

app/controllers/bookmarks_controller.rb

 class BookmarksController < ApplicationController
+  include Pundit
+
   before_action :authenticate_user!
   before_action :set_user
   before_action :find_object, only: [:add_object, :remove_object]
 
+
   # GET /bookmarks/1
   # GET /bookmarks/1.json
   def show
@@ -10,6 +13,7 @@ class BookmarksController < ApplicationController
 
   # POST /bookmarks/1/learning_object
   def add_object
+    authorize @object
     Bookmark.create(user: @user, bookmarkable: @object)
 
     render json: { status: true } if request.xhr?
@@ -17,6 +21,7 @@ class BookmarksController < ApplicationController
 
   # DELETE /bookmarks/1/learning_object
   def remove_object
+    authorize @object
     Bookmark.destroy(user: @user, bookmarkable: @object)
 
     render json: { status: true } if request.xhr?

app/controllers/collections_controller.rb

 class CollectionsController < ApplicationController
+  include Pundit
+
   before_action :set_collection, only: [:show, :update, :destroy, :like, :change_privacy]
   before_action :set_collections, only: [:list, :add_learning_object, :remove_learning_object]
   before_action :authenticate_user!, only: [:update, :destroy, :like, :list, :me, :add_learning_object, :remove_learning_object, :change_privacy]
+  before_action :authorize_action, only: [:show, :create, :update, :destroy, :add_learning_object, :remove_learning_object, :change ]
+
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
 
   # GET /collections
   # GET /collections.json
@@ -200,4 +206,14 @@ class CollectionsController < ApplicationController
     params.require(:collection).permit(:name, :description, :owner, learning_objects: [])
   end
 
+  def user_not_authorized
+    flash[:notice] = "Esta coleção é privada!"
+    redirect_to (root_path)
+  end
+
+  def authorize_action
+    @collection ||= Collection.new
+    authorize @collection
+  end
+
 end

app/policies/application_policy.rb

@@ -38,6 +38,25 @@ class ApplicationPolicy
     Pundit.policy_scope!(user, record.class)
   end
 
+  def owns?
+    return false if user.nil?
+    return true if user.is_admin?
+
+    if owner.is_a? Institution
+      owner.users.include? user
+    else
+      owner == user
+    end
+  end
+
+  def user_exists?
+    return !user.nil?
+  end
+
+  def owner
+    raise "You must implement this method!"
+  end
+
   class Scope
     attr_reader :user, :scope
 

app/policies/collection_policy.rb

+class CollectionPolicy < ApplicationPolicy
+
+  def create?
+    record if user_exists?
+  end
+
+  def edit?
+    record if owns?
+  end
+
+  def show?
+    unless record.private?
+      record
+    else
+      record if owns?
+    end
+  end
+
+  def destroy?
+    record if owns?
+  end
+
+  def add_learning_object?
+    record if owns?
+  end
+
+  def remove_learning_object?
+    record if owns?
+  end
+
+  def change_privacy?
+    record if owns?
+  end
+
+  def owner
+    record.owner
+  end
+
+end

app/policies/learning_object_policy.rb

@@ -12,15 +12,15 @@ class LearningObjectPolicy < ApplicationPolicy
   end
 
   def create?
-    record unless user.nil?
+    record if user_exists?
   end
 
   def update?
-    record if user_authorized?
+    record if owns?
   end
 
   def destroy?
-    record if user_authorized?
+    record if owns?
   end
 
   def show?
@@ -33,16 +33,16 @@ class LearningObjectPolicy < ApplicationPolicy
     end
   end
 
-  private
+  def add_object?
+    record if user_exists?
+  end
 
-  def user_authorized?
-    return false if user.nil?
-    return true if user.is_admin?
+  def remove_object?
+    record if user_exists?
+  end
 
-    if record.publisher.is_a? Institution
-      record.publisher.users.include? user
-    else
-      record.publisher == user
-    end
+  def owner
+    record.publisher
   end
+
 end