From 422f608f354c3eaa087f5d9f7a35bb45bcc7619d Mon Sep 17 00:00:00 2001
From: Giovanne Marcelo <gms15@inf.ufpr.br>
Date: Wed, 9 Mar 2016 11:58:14 -0300
Subject: [PATCH] Adding collection and bookmark policies

---
 app/controllers/bookmarks_controller.rb   |  5 +++
 app/controllers/collections_controller.rb | 16 ++++++++++
 app/policies/application_policy.rb        | 19 +++++++++++
 app/policies/collection_policy.rb         | 39 +++++++++++++++++++++++
 app/policies/learning_object_policy.rb    | 24 +++++++-------
 5 files changed, 91 insertions(+), 12 deletions(-)
 create mode 100644 app/policies/collection_policy.rb

diff --git a/app/controllers/bookmarks_controller.rb b/app/controllers/bookmarks_controller.rb
index 0d2884a0..487cbfd5 100644
--- a/app/controllers/bookmarks_controller.rb
+++ b/app/controllers/bookmarks_controller.rb
@@ -1,8 +1,11 @@
 class BookmarksController < ApplicationController
+  include Pundit
+
   before_action :authenticate_user!
   before_action :set_user
   before_action :find_object, only: [:add_object, :remove_object]
 
+
   # GET /bookmarks/1
   # GET /bookmarks/1.json
   def show
@@ -10,6 +13,7 @@ class BookmarksController < ApplicationController
 
   # POST /bookmarks/1/learning_object
   def add_object
+    authorize @object
     Bookmark.create(user: @user, bookmarkable: @object)
 
     render json: { status: true } if request.xhr?
@@ -17,6 +21,7 @@ class BookmarksController < ApplicationController
 
   # DELETE /bookmarks/1/learning_object
   def remove_object
+    authorize @object
     Bookmark.destroy(user: @user, bookmarkable: @object)
 
     render json: { status: true } if request.xhr?
diff --git a/app/controllers/collections_controller.rb b/app/controllers/collections_controller.rb
index 43ab5203..e94d2d77 100644
--- a/app/controllers/collections_controller.rb
+++ b/app/controllers/collections_controller.rb
@@ -1,7 +1,13 @@
 class CollectionsController < ApplicationController
+  include Pundit
+
   before_action :set_collection, only: [:show, :update, :destroy, :like, :change_privacy]
   before_action :set_collections, only: [:list, :add_learning_object, :remove_learning_object]
   before_action :authenticate_user!, only: [:update, :destroy, :like, :list, :me, :add_learning_object, :remove_learning_object, :change_privacy]
+  before_action :authorize_action, only: [:show, :create, :update, :destroy, :add_learning_object, :remove_learning_object, :change ]
+
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
 
   # GET /collections
   # GET /collections.json
@@ -200,4 +206,14 @@ class CollectionsController < ApplicationController
     params.require(:collection).permit(:name, :description, :owner, learning_objects: [])
   end
 
+  def user_not_authorized
+    flash[:notice] = "Esta coleÃ§Ã£o Ã© privada!"
+    redirect_to (root_path)
+  end
+
+  def authorize_action
+    @collection ||= Collection.new
+    authorize @collection
+  end
+
 end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index 2a0bbc52..9f4c8daf 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -38,6 +38,25 @@ class ApplicationPolicy
     Pundit.policy_scope!(user, record.class)
   end
 
+  def owns?
+    return false if user.nil?
+    return true if user.is_admin?
+
+    if owner.is_a? Institution
+      owner.users.include? user
+    else
+      owner == user
+    end
+  end
+
+  def user_exists?
+    return !user.nil?
+  end
+
+  def owner
+    raise "You must implement this method!"
+  end
+
   class Scope
     attr_reader :user, :scope
 
diff --git a/app/policies/collection_policy.rb b/app/policies/collection_policy.rb
new file mode 100644
index 00000000..c498afe1
--- /dev/null
+++ b/app/policies/collection_policy.rb
@@ -0,0 +1,39 @@
+class CollectionPolicy < ApplicationPolicy
+
+  def create?
+    record if user_exists?
+  end
+
+  def edit?
+    record if owns?
+  end
+
+  def show?
+    unless record.private?
+      record
+    else
+      record if owns?
+    end
+  end
+
+  def destroy?
+    record if owns?
+  end
+
+  def add_learning_object?
+    record if owns?
+  end
+
+  def remove_learning_object?
+    record if owns?
+  end
+
+  def change_privacy?
+    record if owns?
+  end
+
+  def owner
+    record.owner
+  end
+
+end
diff --git a/app/policies/learning_object_policy.rb b/app/policies/learning_object_policy.rb
index 9f55e961..15b25f33 100644
--- a/app/policies/learning_object_policy.rb
+++ b/app/policies/learning_object_policy.rb
@@ -12,15 +12,15 @@ class LearningObjectPolicy < ApplicationPolicy
   end
 
   def create?
-    record unless user.nil?
+    record if user_exists?
   end
 
   def update?
-    record if user_authorized?
+    record if owns?
   end
 
   def destroy?
-    record if user_authorized?
+    record if owns?
   end
 
   def show?
@@ -33,16 +33,16 @@ class LearningObjectPolicy < ApplicationPolicy
     end
   end
 
-  private
+  def add_object?
+    record if user_exists?
+  end
 
-  def user_authorized?
-    return false if user.nil?
-    return true if user.is_admin?
+  def remove_object?
+    record if user_exists?
+  end
 
-    if record.publisher.is_a? Institution
-      record.publisher.users.include? user
-    else
-      record.publisher == user
-    end
+  def owner
+    record.publisher
   end
+
 end
-- 
GitLab