diff --git a/app/controllers/v1/contacts_controller.rb b/app/controllers/v1/contacts_controller.rb
index a5519a38f8753fb9cd7271293396706767243676..d2994e471927a6fa552bac3c4def61a99c5bd568 100644
--- a/app/controllers/v1/contacts_controller.rb
+++ b/app/controllers/v1/contacts_controller.rb
@@ -20,12 +20,15 @@
class V1::ContactsController < ApplicationController
include ::Paginator
+ before_action :authenticate_user!, except: [:create]
before_action :set_contact, only: [:show, :update, :destroy]
+ before_action :set_new_contact, only: :index
+ before_action :authorize!, except: [:create]
# GET v1/contacts
def index
- contacts = paginate Contact
- render json: contacts
+ contacts = paginate policy_scope(Contact)
+ render json: contacts
end
# GET v1/contacts/1
@@ -71,4 +74,12 @@ class V1::ContactsController < ApplicationController
def contact_params
params.require(:contact).permit(:name, :email, :message)
end
+
+ def authorize!
+ authorize @contact
+ end
+
+ def set_new_contact
+ @contact ||= Contact.new
+ end
end
diff --git a/app/policies/contact_policy.rb b/app/policies/contact_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..5c7afa253c8ae7875e41a70000ae50a7fe1174b1
--- /dev/null
+++ b/app/policies/contact_policy.rb
@@ -0,0 +1,48 @@
+
+# Copyright (C) 2015 Centro de Computacao Cientifica e Software Livre
+# Departamento de Informatica - Universidade Federal do Parana
+#
+# This file is part of portalmec.
+#
+# portalmec is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# portalmec is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with portalmec. If not, see <http://www.gnu.org/licenses/>.
+
+class ContactPolicy < ApplicationPolicy
+ class Scope < Scope
+ def resolve
+ if user_can_edit?
+ scope.all
+ end
+ end
+ end
+
+ def index?
+ record if user_can_edit?
+ end
+
+ def show?
+ record if user_can_edit?
+ end
+
+ def create?
+ record
+ end
+
+ def update?
+ record if user_can_edit?
+ end
+
+ def destroy?
+ record if user_can_edit?
+ end
+end
diff --git a/spec/acceptance/contacts_spec.rb b/spec/acceptance/contacts_spec.rb
index c559d36643b9be32fdd5ccd670e3a8edca70aafb..d276e6d9326627044722dd8b2d7f6ad7e699fcf0 100644
--- a/spec/acceptance/contacts_spec.rb
+++ b/spec/acceptance/contacts_spec.rb
@@ -18,6 +18,7 @@
# along with portalmec. If not, see <http://www.gnu.org/licenses/>.
require 'acceptance_helpers'
+require 'shared/contexts'
resource 'Contacts' do
@@ -28,6 +29,7 @@ resource 'Contacts' do
let(:contacts) { Contact.all }
get '/v1/contacts' do
+ include_context "authenticate_user_editor"
example_request 'Getting all contacts' do
expect(status).to eq(200)
@@ -35,6 +37,7 @@ resource 'Contacts' do
end
get '/v1/contacts/:id' do
+ include_context "authenticate_user_editor"
let(:id) { contacts.first.id }
@@ -61,6 +64,7 @@ resource 'Contacts' do
end
put '/v1/contacts/:id' do
+ include_context "authenticate_user_editor"
parameter :name, 'The name of the contact', scope: :contact
parameter :email, 'The email of the contact', scope: :contact
@@ -78,6 +82,7 @@ resource 'Contacts' do
end
delete '/v1/contacts/:id' do
+ include_context "authenticate_user_editor"
let(:id) { contacts.first.id }