pundit: add initial application policy.

2020-03-15 13:48:34 -05:00
parent 15ba2f6cd7
commit 1d16034144
4 changed files with 83 additions and 1 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,4 +1,6 @@
 class ApplicationController < ActionController::Base
+  include Pundit
+
  class ApiLimitError < StandardError; end

  self.responder = ApplicationResponder
@@ -92,7 +94,7 @@ class ApplicationController < ActionController::Base
      render_error_page(401, exception, template: "sessions/new")
    when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest
      render_error_page(403, exception)
-    when User::PrivilegeError
+    when User::PrivilegeError, Pundit::NotAuthorizedError
      render_error_page(403, exception, template: "static/access_denied", message: "Access denied")
    when ActiveRecord::RecordNotFound
      render_error_page(404, exception, message: "That record was not found.")
@@ -174,6 +176,14 @@ class ApplicationController < ActionController::Base
    end
  end

+  def pundit_user
+    [CurrentUser.user, request]
+  end
+
+  def pundit_params_for(record)
+    params.fetch(PolicyFinder.new(record).param_key, {})
+  end
+
  # Remove blank `search` params from the url.
  #
  # /tags?search[name]=touhou&search[category]=&search[order]=
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -0,0 +1,68 @@
+class ApplicationPolicy
+  attr_reader :user, :request, :record
+
+  def initialize(context, record)
+    @user, @request = context
+    @record = record
+  end
+
+  def index?
+    true
+  end
+
+  def show?
+    index?
+  end
+
+  def search?
+    index?
+  end
+
+  def new?
+    create?
+  end
+
+  def create?
+    unbanned?
+  end
+
+  def edit?
+    update?
+  end
+
+  def update?
+    unbanned?
+  end
+
+  def destroy?
+    update?
+  end
+
+  def unbanned?
+    user.is_member? && !user.is_banned?
+  end
+
+  def policy(object)
+    Pundit.policy!([user, request], object)
+  end
+
+  def permitted_attributes
+    []
+  end
+
+  def permitted_attributes_for_create
+    permitted_attributes
+  end
+
+  def permitted_attributes_for_update
+    permitted_attributes
+  end
+
+  def permitted_attributes_for_new
+    permitted_attributes_for_create
+  end
+
+  def permitted_attributes_for_edit
+    permitted_attributes_for_update
+  end
+end