diff --git a/app/controllers/plans_controller.rb b/app/controllers/plans_controller.rb index 7b0daa6..9a05242 100644 --- a/app/controllers/plans_controller.rb +++ b/app/controllers/plans_controller.rb @@ -1,7 +1,9 @@ class PlansController < ApplicationController #Uncomment the line below in order to add authentication to this page - users without permission will not be able to add new plans #load_and_authorize_resource + after_action :verify_authorized + # GET /plans/1/edit def edit @plan = Plan.find(params[:id]) diff --git a/app/controllers/project_groups_controller.rb b/app/controllers/project_groups_controller.rb index 426b842..dea2a67 100644 --- a/app/controllers/project_groups_controller.rb +++ b/app/controllers/project_groups_controller.rb @@ -2,6 +2,7 @@ def create @project_group = ProjectGroup.new(params[:project_group]) + authorize @project_group access_level = params[:project_group][:access_level].to_i if access_level >= 3 then @project_group.project_administrator = true @@ -30,15 +31,12 @@ end flash[:notice] = message format.html { redirect_to :controller => 'projects', :action => 'share', :id => @project_group.project.slug } - format.json { render json: @project_group, status: :created, location: @project_group } else format.html { render action: "new" } - format.json { render json: @project_group.errors, status: :unprocessable_entity } end else flash[:notice] = I18n.t('helpers.project.enter_email') format.html { redirect_to :controller => 'projects', :action => 'share', :id => @project_group.project.slug } - format.json { render json: @project_group, status: :created, location: @project_group } end end else @@ -49,6 +47,7 @@ def update @project_group = ProjectGroup.find(params[:id]) + authorize @project_group access_level = params[:project_group][:access_level].to_i if access_level >= 3 then @project_group.project_administrator = true @@ -66,10 +65,8 @@ flash[:notice] = I18n.t('helpers.project.sharing_updated') UserMailer.permissions_change_notification(@project_group).deliver format.html { redirect_to :controller => 'projects', :action => 'share', :id => @project_group.project.slug } - format.json { head :no_content } else format.html { render action: "edit" } - format.json { render json: @project_group.errors, status: :unprocessable_entity } end end else @@ -79,6 +76,7 @@ def destroy @project_group = ProjectGroup.find(params[:id]) + authorize @project_group if (user_signed_in?) && @project_group.project.administerable_by(current_user.id) then user = @project_group.user project = @project_group.project @@ -87,7 +85,6 @@ flash[:notice] = I18n.t('helpers.project.access_removed') UserMailer.project_access_removed_notification(user, project).deliver format.html { redirect_to :controller => 'projects', :action => 'share', :id => @project_group.project.slug } - format.json { head :no_content } end else render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false) diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index ddf4bda..3775a12 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -1,5 +1,6 @@ class ProjectsController < ApplicationController before_filter :get_plan_list_columns, only: %i( index ) + after_action :verify_authorized # GET /projects # GET /projects.json diff --git a/app/policies/project_group_policy.rb b/app/policies/project_group_policy.rb new file mode 100644 index 0000000..595687e --- /dev/null +++ b/app/policies/project_group_policy.rb @@ -0,0 +1,22 @@ +class ProjectGroupPolicy < ApplicationPolicy + attr_reader :user + attr_reader :project_group + + def initialize(user, project_group) + raise Pundit::NotAuthorizedError, "must be logged in" unless user + @user = user + @project_group = project_group + end + + def create? + @project_group.project.administerable_by(@user.id) + end + + def update? + @project_group.project.administerable_by(@user.id) + end + + def destroy? + @project_group.project.administerable_by(@user.id) + end +end \ No newline at end of file