diff --git a/app/controllers/news_updates_controller.rb b/app/controllers/news_updates_controller.rb index 8616bb0d3..1be5c1840 100644 --- a/app/controllers/news_updates_controller.rb +++ b/app/controllers/news_updates_controller.rb @@ -1,44 +1,39 @@ class NewsUpdatesController < ApplicationController - before_action :admin_only respond_to :html def index + authorize NewsUpdate @news_updates = NewsUpdate.order("id desc").paginate(params[:page], :limit => params[:limit]) respond_with(@news_updates) end def edit - @news_update = NewsUpdate.find(params[:id]) + @news_update = authorize NewsUpdate.find(params[:id]) respond_with(@news_update) end def update - @news_update = NewsUpdate.find(params[:id]) - @news_update.update(news_update_params) + @news_update = authorize NewsUpdate.find(params[:id]) + @news_update.update(permitted_attributes(@news_update)) respond_with(@news_update, :location => news_updates_path) end def new - @news_update = NewsUpdate.new + @news_update = authorize NewsUpdate.new respond_with(@news_update) end def create - @news_update = NewsUpdate.create(news_update_params.merge(creator: CurrentUser.user)) + @news_update = authorize NewsUpdate.new(creator: CurrentUser.user, **permitted_attributes(NewsUpdate)) + @news_update.save respond_with(@news_update, :location => news_updates_path) end def destroy - @news_update = NewsUpdate.find(params[:id]) + @news_update = authorize NewsUpdate.find(params[:id]) @news_update.destroy respond_with(@news_update) do |format| format.js end end - - private - - def news_update_params - params.require(:news_update).permit([:message]) - end end diff --git a/app/policies/news_update_policy.rb b/app/policies/news_update_policy.rb new file mode 100644 index 000000000..de059be33 --- /dev/null +++ b/app/policies/news_update_policy.rb @@ -0,0 +1,17 @@ +class NewsUpdatePolicy < ApplicationPolicy + def index? + user.is_admin? + end + + def create? + user.is_admin? + end + + def update? + user.is_admin? + end + + def permitted_attributes + [:message] + end +end