From ab8514fe98854ab877c0a7e4601f77218d9b12f7 Mon Sep 17 00:00:00 2001
From: Giovanne Marcelo <gms15@inf.ufpr.br>
Date: Wed, 9 Mar 2016 11:00:36 -0300
Subject: [PATCH] Adding learning object policy

---
 .../learning_objects_controller.rb            |  7 +++++-
 app/policies/learning_object_policy.rb        | 25 +++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/app/controllers/learning_objects_controller.rb b/app/controllers/learning_objects_controller.rb
index 8d07a583..520da4ce 100644
--- a/app/controllers/learning_objects_controller.rb
+++ b/app/controllers/learning_objects_controller.rb
@@ -12,11 +12,11 @@ class LearningObjectsController < ApplicationController
                                              :collections, :upload, :upload_link, :download,
                                              :user_not_authorized]
   after_action :increment_learning_object_views, only: [:show]
+  before_action :authorize_action
 
   # GET /learning_objects/1
   # GET /learning_objects/1.json
   def show
-    authorize @learning_object
     @liked = !@learning_object.liked?(current_user) if user_signed_in?
     @reviews = Review.where(reviewable: @learning_object)
   end
@@ -135,4 +135,9 @@ class LearningObjectsController < ApplicationController
     redirect_to (root_path)
   end
 
+  def authorize_action
+    @learning_object ||= LearningObject.new
+    authorize @learning_object
+  end
+
 end
diff --git a/app/policies/learning_object_policy.rb b/app/policies/learning_object_policy.rb
index f5829e1d..9f55e961 100644
--- a/app/policies/learning_object_policy.rb
+++ b/app/policies/learning_object_policy.rb
@@ -11,6 +11,18 @@ class LearningObjectPolicy < ApplicationPolicy
     end
   end
 
+  def create?
+    record unless user.nil?
+  end
+
+  def update?
+    record if user_authorized?
+  end
+
+  def destroy?
+    record if user_authorized?
+  end
+
   def show?
     if user.nil?
       record.state == 'published'
@@ -20,4 +32,17 @@ class LearningObjectPolicy < ApplicationPolicy
       record.state == 'published'
     end
   end
+
+  private
+
+  def user_authorized?
+    return false if user.nil?
+    return true if user.is_admin?
+
+    if record.publisher.is_a? Institution
+      record.publisher.users.include? user
+    else
+      record.publisher == user
+    end
+  end
 end
-- 
GitLab