Adding Pundit to the application to centralize role-based authorization into /app/policies folder.

rylanb · rylanb · commit fd27b878bb88 · 2016-07-08T11:19:29.000-06:00
Updating binstubs with new version of spring and so pundit works.
diff --git a/Gemfile b/Gemfile
@@ -29,6 +29,7 @@ gem 'draper'
 gem 'simple_form', '3.1.1'
 gem 'zeroclipboard-rails'
 gem 'responders', '~> 2.0'
+gem 'pundit'
 
 group :production do
   gem 'rails_12factor'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -230,6 +230,8 @@ GEM
       interception (>= 0.5)
       pry
     puma (2.15.3)
+    pundit (1.1.0)
+      activesupport (>= 3.0.0)
     quiet_assets (1.1.0)
       railties (>= 3.1, < 5.0)
     rack (1.6.4)
@@ -311,7 +313,7 @@ GEM
       actionpack (~> 4.0)
       activemodel (~> 4.0)
     slop (3.6.0)
-    spring (1.6.2)
+    spring (1.7.2)
     spring-commands-rspec (1.0.4)
       spring (>= 0.9.1)
     sprockets (3.6.1)
@@ -381,6 +383,7 @@ DEPENDENCIES
   pry-remote
   pry-rescue
   puma (~> 2.13)
+  pundit
   quiet_assets
   rack-mini-profiler
   rack-timeout (~> 0.2.4)
@@ -399,5 +402,8 @@ DEPENDENCIES
   web-console (~> 2.0)
   zeroclipboard-rails
 
+RUBY VERSION
+   ruby 2.3.0p0
+
 BUNDLED WITH
-   1.11.2
+   1.12.5
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,4 +1,7 @@
 class ApplicationController < ActionController::Base
+  include Pundit
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
   require "csv"
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
@@ -60,6 +63,11 @@ def require_proposal
     @proposal = @event.proposals.find_by!(uuid: params[:proposal_uuid] || params[:uuid])
   end
 
+  def user_not_authorized
+    flash[:alert] = "You are not authorized to perform this action."
+    redirect_to(request.referrer || root_path)
+  end
+
   def event_params
     params.require(:event).permit(
         :name, :contact_email, :slug, :url, :valid_proposal_tags,
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
@@ -0,0 +1,9 @@
+class ApplicationPolicy
+
+  def initialize(user, record)
+    raise Pundit::NotAuthorizedError, "must be logged in" unless user
+    @user   = user
+    @record = record
+  end
+
+end
diff --git a/app/policies/event_policy.rb b/app/policies/event_policy.rb
@@ -0,0 +1,71 @@
+class EventPolicy
+  attr_reader :current_user, :model
+
+  def initialize(current_user, model)
+    @current_user = current_user
+    @event = model
+  end
+
+  def index?
+    @current_user.admin? || @current_user.organizer_for_event?(@event)
+  end
+
+  def show?
+    @current_user.admin? || @current_user.organizer_for_event?(@event)
+  end
+
+  def update?
+    @current_user.admin? || @current_user.organizer_for_event?(@event)
+  end
+
+  def destroy?
+    @current_user.admin? || @current_user.organizer_for_event?(@event)
+  end
+
+end
+
+
+  # def index?
+  #   false
+  # end
+
+  # def show?
+  #   scope.where(:id => record.id).exists?
+  # end
+
+  # def create?
+  #   false
+  # end
+
+  # def new?
+  #   create?
+  # end
+
+  # def update?
+  #   false
+  # end
+
+  # def edit?
+  #   update?
+  # end
+
+  # def destroy?
+  #   false
+  # end
+
+  # def scope
+  #   Pundit.policy_scope!(user, record.class)
+  # end
+
+  # class Scope
+  #   attr_reader :user, :scope
+
+  #   def initialize(user, scope)
+  #     @user = user
+  #     @scope = scope
+  #   end
+
+  #   def resolve
+  #     scope
+  #   end
+  # end
diff --git a/app/views/admin/events/_form.html.haml b/app/views/admin/events/_form.html.haml
@@ -36,4 +36,4 @@
   - if event && event.persisted? && current_user.admin?
     = link_to 'Delete Event', admin_event_path(event), method: :delete, data: { confirm: 'Are you sure you want to delete this event?' }, class: 'btn btn-danger pull-left'
 
-  =submit_tag("Save", class: "pull-right btn btn-success", type: "submit", disabled: !current_user.organizer_for_event?(f.object))
+  =submit_tag("Save", class: "pull-right btn btn-success", type: "submit", disabled: !policy(@event).update?)
diff --git a/app/views/admin/events/_tags_form.html.haml b/app/views/admin/events/_tags_form.html.haml
@@ -10,4 +10,4 @@
       = f.input :valid_review_tags, placeholder: 'Separate multiple tags with commas'
       //= f.text_field :valid_review_tags, class: 'form-control'
       %p.help-block This is a comma separated list of tags allowed for use during proposal reviews. These limits apply to tags used internally by reviewers and not to publicly displayed tags.
-      =submit_tag("Save Tags", class: "pull-right btn btn-success", type: "submit", disabled: !current_user.organizer_for_event?(f.object))
+      =submit_tag("Save Tags", class: "pull-right btn btn-success", type: "submit", disabled: !policy(@event).update?)
diff --git a/bin/rails b/bin/rails
@@ -1,4 +1,9 @@
 #!/usr/bin/env ruby
+begin
+  load File.expand_path('../spring', __FILE__)
+rescue LoadError => e
+  raise unless e.message.include?('spring')
+end
 APP_PATH = File.expand_path('../../config/application', __FILE__)
 require_relative '../config/boot'
 require 'rails/commands'
diff --git a/bin/rake b/bin/rake
@@ -1,4 +1,9 @@
 #!/usr/bin/env ruby
+begin
+  load File.expand_path('../spring', __FILE__)
+rescue LoadError => e
+  raise unless e.message.include?('spring')
+end
 require_relative '../config/boot'
 require 'rake'
 Rake.application.run
diff --git a/bin/rspec b/bin/rspec
@@ -1,7 +1,8 @@
 #!/usr/bin/env ruby
 begin
-  load File.expand_path("../spring", __FILE__)
-rescue LoadError
+  load File.expand_path('../spring', __FILE__)
+rescue LoadError => e
+  raise unless e.message.include?('spring')
 end
 require 'bundler/setup'
 load Gem.bin_path('rspec', 'rspec')
diff --git a/bin/spring b/bin/spring
@@ -4,12 +4,12 @@
 # It gets overwritten when you run the `spring binstub` command.
 
 unless defined?(Spring)
-  require "rubygems"
-  require "bundler"
+  require 'rubygems'
+  require 'bundler'
 
-  if match = Bundler.default_lockfile.read.match(/^GEM$.*?^    (?:  )*spring \((.*?)\)$.*?^$/m)
-    Gem.paths = { "GEM_PATH" => [Bundler.bundle_path.to_s, *Gem.path].uniq }
-    gem "spring", match[1]
-    require "spring/binstub"
+  if (match = Bundler.default_lockfile.read.match(/^GEM$.*?^    (?:  )*spring \((.*?)\)$.*?^$/m))
+    Gem.paths = { 'GEM_PATH' => [Bundler.bundle_path.to_s, *Gem.path].uniq.join(Gem.path_separator) }
+    gem 'spring', match[1]
+    require 'spring/binstub'
   end
 end
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -4,6 +4,7 @@
 require File.expand_path("../../config/environment", __FILE__)
 require 'rspec/rails'
 require 'capybara/rspec'
+require 'pundit/rspec'
 
 # Requires supporting ruby files with custom matchers and macros, etc, in
 # spec/support/ and its subdirectories. Files matching `spec/**/*_spec.rb` are
