diff --git a/app/controllers/concerns/publisher_controller.rb b/app/controllers/concerns/publisher_controller.rb
index 3b1ada1238af321311f1636cbf9e8c80d109a697..cb8e6745eba47ff1c11f4f6cf9af80f23f6942e4 100644
--- a/app/controllers/concerns/publisher_controller.rb
+++ b/app/controllers/concerns/publisher_controller.rb
@@ -2,43 +2,43 @@ module PublisherController
extend ActiveSupport::Concern
included do
- before_action :authenticate_user!, only: [:show_all_drafts, :show_all_learning_objects, :show_all_collections, :show_liked_learning_objects, :show_liked_collections]
+ before_action :authenticate_user!, only: [:show_all_drafts, :show_liked_learning_objects, :show_liked_collections]
+ before_action :set_publisher
+ before_action -> { authorize @publisher }, only: [:show_all_drafts, :show_liked_learning_objects, :show_liked_collections]
end
def show_all_drafts
- render json: LearningObject.where(publisher: publisher, state: LearningObject.states[:draft])
+ render json: LearningObject.where(publisher: @publisher, state: LearningObject.states[:draft])
end
# GET /v1/users/1/learning_objects
def show_all_learning_objects
- render json: LearningObject.where(publisher: publisher, state: LearningObject.states[:published])
+ render json: LearningObject.where(publisher: @publisher, state: LearningObject.states[:published])
end
def show_all_collections
- render json: Collection.where(owner: publisher)
+ render json: ::UserPolicy::Scope.new(current_user,Collection).resolve.where(owner: @publisher)
end
def show_liked_learning_objects
includes = [:taggings, :tags, :subject_relations, :subjects, :stage_relations, :educational_stages, :publisher, :language, :license]
render json: LearningObject.includes(includes).find(
- Like.where(user: publisher, likeable_type: 'LearningObject').pluck(:likeable_id)
+ Like.where(user: @publisher, likeable_type: 'LearningObject').pluck(:likeable_id)
)
end
def show_liked_collections
render json: Collection.find(
- Like.where(user: publisher, likeable_type: 'Collection').pluck(:likeable_id)
+ Like.where(user: @publisher, likeable_type: 'Collection').pluck(:likeable_id)
)
end
protected
- def publisher
+ def set_publisher
user, id = request.path.split('/')[2, 3]
return nil unless %w(users institutions).include? user
publisher_model = user.singularize.classify.constantize
- publisher = publisher_model.find(id)
- authorize publisher
- publisher
+ @publisher = publisher_model.find(id)
end
end
diff --git a/app/policies/publisher_policy.rb b/app/policies/publisher_policy.rb
index f0c8dc94dc12063c34a06c6fd7362c7d6345cd79..0eee77811469fbdf4cad4619a1145b4177088e34 100644
--- a/app/policies/publisher_policy.rb
+++ b/app/policies/publisher_policy.rb
@@ -1,13 +1,18 @@
module PublisherPolicy
- def show_all_drafts?
- record if same_user? || user.is_admin?
- end
- def show_all_learning_objects?
- record if same_user? || user.is_admin?
+ class Scope < ApplicationPolicy::Scope
+ def resolve
+ if user.nil?
+ scope.where(privacy: 'public')
+ elsif user.is_admin? || same_user?
+ scope.all
+ else
+ scope.where(privacy: 'public')
+ end
+ end
end
- def show_all_collections?
+ def show_all_drafts?
record if same_user? || user.is_admin?
end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 424a0a68dc7e2304daffce0daeed2326de355843..2f6bfddaafb48a1ae8de9d85737d47d08fede22f 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -2,6 +2,8 @@ class UserPolicy < ApplicationPolicy
include FollowablePolicy
include PublisherPolicy
+ class Scope < PublisherPolicy::Scope; end
+
def create?
user.is_admin?
end