diff --git a/app/controllers/bookmarks_controller.rb b/app/controllers/bookmarks_controller.rb
index 0d2884a068a575eab11378d6b818bfedc889b6a7..487cbfd5baed5cfd16afd3755b2da4525d926e55 100644
--- a/app/controllers/bookmarks_controller.rb
+++ b/app/controllers/bookmarks_controller.rb
@@ -1,8 +1,11 @@
class BookmarksController < ApplicationController
+ include Pundit
+
before_action :authenticate_user!
before_action :set_user
before_action :find_object, only: [:add_object, :remove_object]
+
# GET /bookmarks/1
# GET /bookmarks/1.json
def show
@@ -10,6 +13,7 @@ class BookmarksController < ApplicationController
# POST /bookmarks/1/learning_object
def add_object
+ authorize @object
Bookmark.create(user: @user, bookmarkable: @object)
render json: { status: true } if request.xhr?
@@ -17,6 +21,7 @@ class BookmarksController < ApplicationController
# DELETE /bookmarks/1/learning_object
def remove_object
+ authorize @object
Bookmark.destroy(user: @user, bookmarkable: @object)
render json: { status: true } if request.xhr?
diff --git a/app/controllers/collections_controller.rb b/app/controllers/collections_controller.rb
index 43ab520318d5473aaaa14c77f5bf9fc57803e0ff..e94d2d77a5ebf90dbfe9df992481e688fd8e28f7 100644
--- a/app/controllers/collections_controller.rb
+++ b/app/controllers/collections_controller.rb
@@ -1,7 +1,13 @@
class CollectionsController < ApplicationController
+ include Pundit
+
before_action :set_collection, only: [:show, :update, :destroy, :like, :change_privacy]
before_action :set_collections, only: [:list, :add_learning_object, :remove_learning_object]
before_action :authenticate_user!, only: [:update, :destroy, :like, :list, :me, :add_learning_object, :remove_learning_object, :change_privacy]
+ before_action :authorize_action, only: [:show, :create, :update, :destroy, :add_learning_object, :remove_learning_object, :change ]
+
+ rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
# GET /collections
# GET /collections.json
@@ -200,4 +206,14 @@ class CollectionsController < ApplicationController
params.require(:collection).permit(:name, :description, :owner, learning_objects: [])
end
+ def user_not_authorized
+ flash[:notice] = "Esta coleção é privada!"
+ redirect_to (root_path)
+ end
+
+ def authorize_action
+ @collection ||= Collection.new
+ authorize @collection
+ end
+
end
diff --git a/app/controllers/complaints_controller.rb b/app/controllers/complaints_controller.rb
index ac99a7f9c9a0d79d4d7acf09cb46250fb26b1f17..c83724f235e47114724a38f375de20f7dda1fd5a 100644
--- a/app/controllers/complaints_controller.rb
+++ b/app/controllers/complaints_controller.rb
@@ -1,4 +1,7 @@
class ComplaintsController < ApplicationController
+ include Pundit
+
+ before_action :authorize_action
before_action :authenticate_user!
def create
@@ -20,4 +23,10 @@ class ComplaintsController < ApplicationController
def complaint_params
params.require(:complaint).permit(:complaintable_id, :complaintable_type, :complaint_reason_id, :description)
end
+
+ def authorize_action
+ @complaint ||= Complaint.new(complaint_params)
+ authorize @complaint
+ end
+
end
diff --git a/app/controllers/institutions_controller.rb b/app/controllers/institutions_controller.rb
index 645cc37c083958f49dd1f59676bd07435bb5e977..0496cd655fae13d66302beda0fa3784c0a689ff5 100644
--- a/app/controllers/institutions_controller.rb
+++ b/app/controllers/institutions_controller.rb
@@ -1,5 +1,8 @@
class InstitutionsController < ApplicationController
+ include Pundit
+
before_action :set_institution, only: [:show, :edit, :update, :destroy, :like, :users]
+ before_action :authorize_action
# GET /institutions
# GET /institutions.json
@@ -72,4 +75,9 @@ class InstitutionsController < ApplicationController
params[:institution_object]
end
+ def authorize_action
+ @institution ||= Institution.new
+ authorize @institution
+ end
+
end
diff --git a/app/controllers/learning_objects_controller.rb b/app/controllers/learning_objects_controller.rb
index 8d07a5834fdb6d64ae8aeb34e320b2e634427ff5..520da4ce710adbf2d3b1f119be4234cb893dab94 100644
--- a/app/controllers/learning_objects_controller.rb
+++ b/app/controllers/learning_objects_controller.rb
@@ -12,11 +12,11 @@ class LearningObjectsController < ApplicationController
:collections, :upload, :upload_link, :download,
:user_not_authorized]
after_action :increment_learning_object_views, only: [:show]
+ before_action :authorize_action
# GET /learning_objects/1
# GET /learning_objects/1.json
def show
- authorize @learning_object
@liked = !@learning_object.liked?(current_user) if user_signed_in?
@reviews = Review.where(reviewable: @learning_object)
end
@@ -135,4 +135,9 @@ class LearningObjectsController < ApplicationController
redirect_to (root_path)
end
+ def authorize_action
+ @learning_object ||= LearningObject.new
+ authorize @learning_object
+ end
+
end
diff --git a/app/controllers/reviews_controller.rb b/app/controllers/reviews_controller.rb
index 35145a8a21e0cbd91d8ff71da5a0c35da017b9ef..1782a404fcdce9b6edc82ff3c932a9f72e041709 100644
--- a/app/controllers/reviews_controller.rb
+++ b/app/controllers/reviews_controller.rb
@@ -1,6 +1,10 @@
class ReviewsController < ApplicationController
+ include Pundit
+
before_action :authenticate_user!, except: [:show, :list]
before_action :set_review, only: [:show, :destroy]
+ before_action :authorize_action
+
def list
if !params[:learning_object_id].blank?
@@ -81,4 +85,10 @@ class ReviewsController < ApplicationController
when 'false' then false
end
end
+
+ def authorize_action
+ @review||= Review.new
+ authorize @review
+ end
+
end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index 2a0bbc5213576eb96894310c120ea00520aab607..9f4c8daf1f5d4c3e14e1f364871ea8baf92d71db 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -38,6 +38,25 @@ class ApplicationPolicy
Pundit.policy_scope!(user, record.class)
end
+ def owns?
+ return false if user.nil?
+ return true if user.is_admin?
+
+ if owner.is_a? Institution
+ owner.users.include? user
+ else
+ owner == user
+ end
+ end
+
+ def user_exists?
+ return !user.nil?
+ end
+
+ def owner
+ raise "You must implement this method!"
+ end
+
class Scope
attr_reader :user, :scope
diff --git a/app/policies/collection_policy.rb b/app/policies/collection_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..ecb2a4833b0bb580d17a71c8bba4999cf52895ac
--- /dev/null
+++ b/app/policies/collection_policy.rb
@@ -0,0 +1,38 @@
+class CollectionPolicy < ApplicationPolicy
+
+ def create?
+ record if user_exists?
+ end
+
+ def edit?
+ record if owns?
+ end
+
+ def show?
+ unless record.private?
+ record
+ else
+ record if owns?
+ end
+ end
+
+ def destroy?
+ record if owns?
+ end
+
+ def add_learning_object?
+ record if owns?
+ end
+
+ def remove_learning_object?
+ record if owns?
+ end
+
+ def change_privacy?
+ record if owns?
+ end
+
+ def owner
+ record.owner
+ end
+end
diff --git a/app/policies/complaint_policy.rb b/app/policies/complaint_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..81482c381ac10093952d269eee752d740200316e
--- /dev/null
+++ b/app/policies/complaint_policy.rb
@@ -0,0 +1,6 @@
+class ComplaintPolicy < ApplicationPolicy
+
+ def create?
+ record if user_exists?
+ end
+end
diff --git a/app/policies/institution_policy.rb b/app/policies/institution_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..cac5c618de79be31c3631ff9d04e1321e1f5cd66
--- /dev/null
+++ b/app/policies/institution_policy.rb
@@ -0,0 +1,19 @@
+class InstitutionPolicy < ApplicationPolicy
+
+ def create?
+ record if user.is_admin?
+ end
+
+ def update?
+ record if user.is_admin?
+ end
+
+ def index?
+ record if user.is_admin?
+ end
+
+ def destroy?
+ record if user.is_admin?
+ end
+
+end
diff --git a/app/policies/learning_object_policy.rb b/app/policies/learning_object_policy.rb
index f5829e1d918af8a1f64728e5d0c87c9ba920a450..15b25f333079c548a62c1c5b67f70c677be5ff2b 100644
--- a/app/policies/learning_object_policy.rb
+++ b/app/policies/learning_object_policy.rb
@@ -11,6 +11,18 @@ class LearningObjectPolicy < ApplicationPolicy
end
end
+ def create?
+ record if user_exists?
+ end
+
+ def update?
+ record if owns?
+ end
+
+ def destroy?
+ record if owns?
+ end
+
def show?
if user.nil?
record.state == 'published'
@@ -20,4 +32,17 @@ class LearningObjectPolicy < ApplicationPolicy
record.state == 'published'
end
end
+
+ def add_object?
+ record if user_exists?
+ end
+
+ def remove_object?
+ record if user_exists?
+ end
+
+ def owner
+ record.publisher
+ end
+
end
diff --git a/app/policies/review_policy.rb b/app/policies/review_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..1ddb5e9c62a5eef942d26408b87edbdcc5547d8a
--- /dev/null
+++ b/app/policies/review_policy.rb
@@ -0,0 +1,22 @@
+class ReviewPolicy < ApplicationPolicy
+
+ def create?
+ record if user_exists?
+ end
+
+ def update?
+ record if owns?
+ end
+
+ def destroy?
+ record if owns?
+ end
+
+ def rate?
+ record if user_exists?
+ end
+
+ def owner
+ record.users
+ end
+end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..5fc8e5841ac35d03b0d0324b9574f0065f97e0e3
--- /dev/null
+++ b/app/policies/user_policy.rb
@@ -0,0 +1,17 @@
+class UserPolicy < ApplicationPolicy
+ def show?
+ record if user_exists?
+ end
+
+ def list?
+ record
+ end
+
+ def follow?
+ record if user_exists?
+ end
+
+ def unfollow?
+ record if user_exists?
+ end
+end