diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index cb50378..ddf4bda 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -4,6 +4,7 @@ # GET /projects # GET /projects.json def index + authorize Project ## TODO: Is this A magic String? the "Show_shib_link?" as we define it and users dont see cookies if user_signed_in? then if (current_user.shibboleth_id.nil? || current_user.shibboleth_id.length == 0) && !cookies[:show_shib_link].nil? && cookies[:show_shib_link] == "show_shib_link" then @@ -15,7 +16,6 @@ respond_to do |format| format.html # index.html.erb - format.json { render json: @projects } end else respond_to do |format| @@ -28,6 +28,7 @@ # GET /projects/1.json def show @project = Project.find(params[:id]) + authorize @project @show_form = false if params[:show_form] == "yes" then @show_form = true @@ -35,7 +36,6 @@ if user_signed_in? && @project.readable_by(current_user.id) then respond_to do |format| format.html # show.html.erb - format.json { render json: @project } end elsif user_signed_in? then respond_to do |format| @@ -52,7 +52,8 @@ # GET /projects/new.json def new if user_signed_in? then - @project = Project.new + @project = Project.new + authorize @project @project.organisation = current_user.organisation @funders = orgs_of_type(constant("organisation_types.funder"), true) @templates = get_available_templates @@ -62,7 +63,6 @@ respond_to do |format| format.html # new.html.erb - format.json { render json: @project } end else respond_to do |format| @@ -75,6 +75,7 @@ # Should this be removed? def edit @project = Project.find(params[:id]) + authorize @project if !user_signed_in? then respond_to do |format| format.html { redirect_to edit_user_registration_path } @@ -88,6 +89,7 @@ def share @project = Project.find(params[:id]) + authorize @project if !user_signed_in? then respond_to do |format| format.html { redirect_to edit_user_registration_path } @@ -101,6 +103,7 @@ def export @project = Project.find(params[:id]) + authorize @project if !user_signed_in? then respond_to do |format| format.html { redirect_to edit_user_registration_path } @@ -118,7 +121,7 @@ def create if user_signed_in? then @project = Project.new(params[:project]) - + authorize @project if @project.dmptemplate.nil? && params[:project][:funder_id] != "" then # this shouldn't be necessary - see setter for funder_id in project.rb funder = Organisation.find(params[:project][:funder_id]) if funder.dmptemplates.count == 1 then @@ -138,10 +141,8 @@ respond_to do |format| if @project.save format.html { redirect_to({:action => "show", :id => @project.slug, :show_form => "yes"}, {:notice => I18n.t('helpers.project.success')}) } - format.json { render json: @project, status: :created, location: @project } else format.html { render action: "new" } - format.json { render json: @project.errors, status: :unprocessable_entity } end end else @@ -153,17 +154,15 @@ # PUT /projects/1.json def update @project = Project.find(params[:id]) + authorize @project if user_signed_in? && @project.editable_by(current_user.id) then - if @project.update_attributes(params[:project]) respond_to do |format| format.html { redirect_to({:action => "show", :id => @project.slug, notice: I18n.t('helpers.project.success_update') }) } - format.json { head :no_content } end else respond_to do |format| format.html { render action: "edit" } - format.json { render json: @project.errors, status: :unprocessable_entity } end end else @@ -175,19 +174,21 @@ # DELETE /projects/1.json def destroy @project = Project.find(params[:id]) + authorize @project if user_signed_in? && @project.editable_by(current_user.id) then @project.destroy respond_to do |format| format.html { redirect_to projects_url } - format.json { head :no_content } end else render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false) end end -=begin + # returns to AJAX call from frontend + # difficult to secure as it passes through params, and dosent curate data based + # on what the user can "view" or is public # GET /projects/possible_templates.json def possible_templates if !params[:funder].nil? && params[:funder] != "" && params[:funder] != "undefined" then @@ -221,7 +222,11 @@ end end - def possible_guidance + # returns to AJAX call from frontend + # difficult to secure as it passes through params, and dosent curate data based + # on what the user can "view" or is public + def possible_guidance + authorize @project if !params[:template].nil? && params[:template] != "" && params[:template] != "undefined" then template = Dmptemplate.find(params[:template]) else @@ -242,6 +247,7 @@ #subset guidance that belong to the institution unless institution.nil? then + authorize Project optional_gg = GuidanceGroup.where("optional_subset = ? && organisation_id = ?", true, institution.id) optional_gg.each do|optional| guidance_groups[optional.id] = optional.name diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb new file mode 100644 index 0000000..60c76fd --- /dev/null +++ b/app/policies/project_policy.rb @@ -0,0 +1,42 @@ +class ProjectPolicy < ApplicationPolicy + attr_reader :user + attr_reader :project + + def initialize(user, project) + raise Pundit::NotAuthorizedError, "must be logged in" unless user + @user = user + @project = project + end + + def show? + @project.readable_by(@user.id) + end + + def edit? + @project.editable_by(@user.id) + end + + def share? + @project.editable_by(@user.id) + end + + def export? + @project.readable_by(@user.id) + end + + def update? + @project.editable_by(@user.id) + end + + def destroy? + @project.editable_by(@user.id) + end + + def possible_templates? + true + end + + def possible_guidance? + true + end +end \ No newline at end of file