SCRUM#289: added policies for Contacts

app/controllers/v1/contacts_controller.rb

@@ -20,10 +20,13 @@
 class V1::ContactsController < ApplicationController
   include ::Paginator
 
+  before_action :authenticate_user!, except: [:create]
   before_action :set_contact, only: [:show, :update, :destroy]
+  before_action :authorize!, except: [:index, :create]
 
   # GET v1/contacts
   def index
+    authorize :contact, :index?
     contacts = paginate Contact
     render json: contacts
   end
@@ -71,4 +74,8 @@ class V1::ContactsController < ApplicationController
     def contact_params
       params.require(:contact).permit(:name, :email, :message)
     end
+
+    def authorize!
+      authorize @contact
+    end
 end

app/policies/contact_policy.rb

+
+# Copyright (C) 2015 Centro de Computacao Cientifica e Software Livre
+# Departamento de Informatica - Universidade Federal do Parana
+#
+# This file is part of portalmec.
+#
+# portalmec is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# portalmec is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with portalmec.  If not, see <http://www.gnu.org/licenses/>.
+
+class ContactPolicy < ApplicationPolicy
+  def index?
+    record if user_can_edit?
+  end
+
+  def show?
+    record if user_can_edit?
+  end
+
+  def create?
+    record
+  end
+
+  def update?
+    record if user_can_edit?
+  end
+
+  def destroy?
+    record if user_can_edit?
+  end
+end