Merge branch 'authorization-system' into 'master'

Authorization system See merge request !182

Merge branch 'authorization-system' into 'master'
5d40d403 · Mauricio Giacomini Girardello · 8067b877 · 75373932 · 5d40d403 · 5d40d403
Commit 5d40d403 authored 9 years ago by Mauricio Giacomini Girardello
--- a/app/controllers/bookmarks_controller.rb
+++ b/app/controllers/bookmarks_controller.rb
 class BookmarksController < ApplicationController
+  include Pundit
+
  before_action :authenticate_user!
  before_action :set_user
  before_action :find_object, only: [:add_object, :remove_object]

+
  # GET /bookmarks/1
  # GET /bookmarks/1.json
  def show
@@ -10,6 +13,7 @@ class BookmarksController < ApplicationController

  # POST /bookmarks/1/learning_object
  def add_object
+    authorize @object
    Bookmark.create(user: @user, bookmarkable: @object)

    render json: { status: true } if request.xhr?
@@ -17,6 +21,7 @@ class BookmarksController < ApplicationController

  # DELETE /bookmarks/1/learning_object
  def remove_object
+    authorize @object
    Bookmark.destroy(user: @user, bookmarkable: @object)

    render json: { status: true } if request.xhr?

--- a/app/controllers/collections_controller.rb
+++ b/app/controllers/collections_controller.rb
 class CollectionsController < ApplicationController
+  include Pundit
+
  before_action :set_collection, only: [:show, :update, :destroy, :like, :change_privacy]
  before_action :set_collections, only: [:list, :add_learning_object, :remove_learning_object]
  before_action :authenticate_user!, only: [:update, :destroy, :like, :list, :me, :add_learning_object, :remove_learning_object, :change_privacy]
+  before_action :authorize_action, only: [:show, :create, :update, :destroy, :add_learning_object, :remove_learning_object, :change ]
+
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+

  # GET /collections
  # GET /collections.json
@@ -200,4 +206,14 @@ class CollectionsController < ApplicationController
    params.require(:collection).permit(:name, :description, :owner, learning_objects: [])
  end

+  def user_not_authorized
+    flash[:notice] = "Esta coleção é privada!"
+    redirect_to (root_path)
+  end
+
+  def authorize_action
+    @collection ||= Collection.new
+    authorize @collection
+  end
+
 end
--- a/app/controllers/complaints_controller.rb
+++ b/app/controllers/complaints_controller.rb
 class ComplaintsController < ApplicationController
+  include Pundit
+
+  before_action :authorize_action
  before_action :authenticate_user!

  def create
@@ -20,4 +23,10 @@ class ComplaintsController < ApplicationController
  def complaint_params
    params.require(:complaint).permit(:complaintable_id, :complaintable_type, :complaint_reason_id, :description)
  end
+
+  def authorize_action
+    @complaint ||= Complaint.new(complaint_params)
+    authorize @complaint
+  end
+
 end
--- a/app/controllers/institutions_controller.rb
+++ b/app/controllers/institutions_controller.rb
 class InstitutionsController < ApplicationController
+  include Pundit
+
  before_action :set_institution, only: [:show, :edit, :update, :destroy, :like, :users]
+  before_action :authorize_action

  # GET /institutions
  # GET /institutions.json
@@ -72,4 +75,9 @@ class InstitutionsController < ApplicationController
    params[:institution_object]
  end

+  def authorize_action
+    @institution ||= Institution.new
+    authorize @institution
+  end
+
 end
--- a/app/controllers/learning_objects_controller.rb
+++ b/app/controllers/learning_objects_controller.rb
@@ -12,11 +12,11 @@ class LearningObjectsController < ApplicationController
                                             :collections, :upload, :upload_link, :download,
                                             :user_not_authorized]
  after_action :increment_learning_object_views, only: [:show]
+  before_action :authorize_action

  # GET /learning_objects/1
  # GET /learning_objects/1.json
  def show
-    authorize @learning_object
    @liked = !@learning_object.liked?(current_user) if user_signed_in?
    @reviews = Review.where(reviewable: @learning_object)
  end
@@ -135,4 +135,9 @@ class LearningObjectsController < ApplicationController
    redirect_to (root_path)
  end

+  def authorize_action
+    @learning_object ||= LearningObject.new
+    authorize @learning_object
+  end
+
 end
--- a/app/controllers/reviews_controller.rb
+++ b/app/controllers/reviews_controller.rb
 class ReviewsController < ApplicationController
+  include Pundit
+
  before_action :authenticate_user!, except: [:show, :list]
  before_action :set_review, only: [:show, :destroy]
+  before_action :authorize_action
+

  def list
    if !params[:learning_object_id].blank?
@@ -81,4 +85,10 @@ class ReviewsController < ApplicationController
    when 'false' then false
    end
  end
+
+  def authorize_action
+    @review||= Review.new
+    authorize @review
+  end
+
 end
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -38,6 +38,25 @@ class ApplicationPolicy
    Pundit.policy_scope!(user, record.class)
  end

+  def owns?
+    return false if user.nil?
+    return true if user.is_admin?
+
+    if owner.is_a? Institution
+      owner.users.include? user
+    else
+      owner == user
+    end
+  end
+
+  def user_exists?
+    return !user.nil?
+  end
+
+  def owner
+    raise "You must implement this method!"
+  end
+
  class Scope
    attr_reader :user, :scope


--- a/app/policies/collection_policy.rb
+++ b/app/policies/collection_policy.rb
+class CollectionPolicy < ApplicationPolicy
+
+  def create?
+    record if user_exists?
+  end
+
+  def edit?
+    record if owns?
+  end
+
+  def show?
+    unless record.private?
+      record
+    else
+      record if owns?
+    end
+  end
+
+  def destroy?
+    record if owns?
+  end
+
+  def add_learning_object?
+    record if owns?
+  end
+
+  def remove_learning_object?
+    record if owns?
+  end
+
+  def change_privacy?
+    record if owns?
+  end
+
+  def owner
+    record.owner
+  end
+end
--- a/app/policies/complaint_policy.rb
+++ b/app/policies/complaint_policy.rb
+class ComplaintPolicy < ApplicationPolicy
+
+  def create?
+    record if user_exists?
+  end
+end
--- a/app/policies/institution_policy.rb
+++ b/app/policies/institution_policy.rb
+class InstitutionPolicy < ApplicationPolicy
+
+  def create?
+    record if user.is_admin?
+  end
+
+  def update?
+    record if user.is_admin?
+  end
+
+  def index?
+    record if user.is_admin?
+  end
+
+  def destroy?
+    record if user.is_admin?
+  end
+
+end
--- a/app/policies/learning_object_policy.rb
+++ b/app/policies/learning_object_policy.rb
@@ -11,6 +11,18 @@ class LearningObjectPolicy < ApplicationPolicy
    end
  end

+  def create?
+    record if user_exists?
+  end
+
+  def update?
+    record if owns?
+  end
+
+  def destroy?
+    record if owns?
+  end
+
  def show?
    if user.nil?
      record.state == 'published'
@@ -20,4 +32,17 @@ class LearningObjectPolicy < ApplicationPolicy
      record.state == 'published'
    end
  end
+
+  def add_object?
+    record if user_exists?
+  end
+
+  def remove_object?
+    record if user_exists?
+  end
+
+  def owner
+    record.publisher
+  end
+
 end
--- a/app/policies/review_policy.rb
+++ b/app/policies/review_policy.rb
+class ReviewPolicy < ApplicationPolicy
+
+  def create?
+    record if user_exists?
+  end
+
+  def update?
+    record if owns?
+  end
+
+  def destroy?
+    record if owns?
+  end
+
+  def rate?
+    record if user_exists?
+  end
+
+  def owner
+    record.users
+  end
+end
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
+class UserPolicy < ApplicationPolicy
+  def show?
+    record if user_exists?
+  end
+
+  def list?
+    record
+  end
+
+  def follow?
+    record if user_exists?
+  end
+
+  def unfollow?
+    record if user_exists?
+  end
+end