diff --git a/app/controllers/api/v0/themes_controller.rb b/app/controllers/api/v0/themes_controller.rb index 935e1f9..e07dc9d 100644 --- a/app/controllers/api/v0/themes_controller.rb +++ b/app/controllers/api/v0/themes_controller.rb @@ -4,7 +4,9 @@ before_action :authenticate def extract + # check if the user has permissions to use the themes API @theme = Theme.find(params[:id]) + raise Pundit::NotAuthorizedError unless Api::V0::ThemePolicy.new(@user, @theme).extract? @answers = @theme.answers.where(plan_id: @user.plans.pluck(:id)) admin_answers = [] org_answers = [] diff --git a/app/models/token_permission_type.rb b/app/models/token_permission_type.rb index 5770e6c..34c2b75 100644 --- a/app/models/token_permission_type.rb +++ b/app/models/token_permission_type.rb @@ -20,6 +20,7 @@ PLANS = TokenPermissionType.where(token_type: 'plans').first.freeze TEMPLATES = TokenPermissionType.where(token_type: 'templates').first.freeze STATISTICS = TokenPermissionType.where(token_type: 'statistics').first.freeze + THEMES = TokenPermissionType.where(token_type: 'themes').first.freeze ## diff --git a/app/policies/api/v0/theme_policy.rb b/app/policies/api/v0/theme_policy.rb new file mode 100644 index 0000000..375a96a --- /dev/null +++ b/app/policies/api/v0/theme_policy.rb @@ -0,0 +1,23 @@ +module Api + module V0 + class ThemePolicy < ApplicationPolicy + attr_reader :user, :theme + + def initialize(user, theme) + raise Pundit::NotAuthorizedError, _("must be logged in") unless user + unless user.org.token_permission_types.include? TokenPermissionType::THEMES + raise Pundit::NotAuthorizedError, _("must have access to theme api") + end + @user = user + @theme = theme + end + + ## + # always allowed as index chooses which themes to display + def extract? + true + end + + end + end + end \ No newline at end of file