Policy Chouette::StopArea

Refs #1780

11 files changed, 177 insertions, 11 deletions

diff --git a/Gemfile b/Gemfile
index 64f7b2aff..7daf1b77e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -59,6 +59,9 @@ gem 'devise_cas_authenticatable'
 gem 'devise-encryptable'
 gem 'devise_invitable'
 
+# Authorization
+gem 'pundit'
+
 # Map, Geolocalization
 gem 'map_layers', '0.0.4'
 gem 'rgeo', '~> 0.5.2'
diff --git a/Gemfile.lock b/Gemfile.lock
index 3be6ce7d3..f3caa6c16 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -325,6 +325,8 @@ GEM
       spoon (~> 0.0)
     pry-rails (0.3.4)
       pry (>= 0.9.10)
+    pundit (1.1.0)
+      activesupport (>= 3.0.0)
     quiet_assets (1.1.0)
       railties (>= 3.1, < 5.0)
     rabl (0.11.6)
@@ -612,6 +614,7 @@ DEPENDENCIES
   poltergeist
   polylines
   pry-rails
+  pundit
   quiet_assets (~> 1.0)
   rabl
   rails (~> 4.1.10)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index fa3874632..c2414f5bb 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,9 +1,13 @@
 class ApplicationController < ActionController::Base
+  include Pundit
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
   # TODO : Delete hack to authorize Cross Request for js and json get request from javascript
   protect_from_forgery unless: -> { request.get? && (request.format.json? || request.format.js?) }
   before_action :authenticate_user!
   before_action :set_locale
 
+
   # Load helpers in rails engine
   helper LanguageEngine::Engine.helpers
 
@@ -13,6 +17,10 @@ class ApplicationController < ActionController::Base
 
   protected
 
+  def user_not_authorized
+    render :file => "#{Rails.root}/public/403.html", :status => :forbidden, :layout => false
+  end
+
   def current_organisation
     current_user.organisation if current_user
   end
diff --git a/app/controllers/stop_areas_controller.rb b/app/controllers/stop_areas_controller.rb
index b37709e84..90820d932 100644
--- a/app/controllers/stop_areas_controller.rb
+++ b/app/controllers/stop_areas_controller.rb
@@ -63,6 +63,7 @@ class StopAreasController < BreadcrumbController
   end
 
   def new
+    authorize Chouette::StopArea
     @map = StopAreaMap.new( Chouette::StopArea.new).with_helpers(self)
     @map.editable = true
     new! do
@@ -71,6 +72,7 @@ class StopAreasController < BreadcrumbController
   end
 
   def create
+    authorize Chouette::StopArea
     @map = StopAreaMap.new( Chouette::StopArea.new).with_helpers(self)
     @map.editable = true
 
@@ -92,6 +94,7 @@ class StopAreasController < BreadcrumbController
   end
 
   def edit
+    authorize stop_area
     edit! do
       stop_area.position ||= stop_area.default_position
       map.editable = true
@@ -99,7 +102,13 @@ class StopAreasController < BreadcrumbController
    end
   end
 
+  def destroy
+    authorize stop_area
+    super
+  end
+
   def update
+    authorize stop_area
     stop_area.position ||= stop_area.default_position
     map.editable = true
 
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
new file mode 100644
index 000000000..2a0bbc521
--- /dev/null
+++ b/app/policies/application_policy.rb
@@ -0,0 +1,53 @@
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    scope.where(:id => record.id).exists?
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  def scope
+    Pundit.policy_scope!(user, record.class)
+  end
+
+  class Scope
+    attr_reader :user, :scope
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      scope
+    end
+  end
+end
diff --git a/app/policies/stop_area_policy.rb b/app/policies/stop_area_policy.rb
new file mode 100644
index 000000000..4fa426ff6
--- /dev/null
+++ b/app/policies/stop_area_policy.rb
@@ -0,0 +1,15 @@
+class StopAreaPolicy < ApplicationPolicy
+  class Scope < Scope
+    def resolve
+      scope
+    end
+  end
+
+  def create?
+    false
+  end
+  def update?  ; create? end
+  def new?     ; create? end
+  def edit?    ; create? end
+  def destroy? ; create? end
+end
diff --git a/app/views/stop_areas/_stop_area.html.slim b/app/views/stop_areas/_stop_area.html.slim
index 15f9e4452..39cb09660 100644
--- a/app/views/stop_areas/_stop_area.html.slim
+++ b/app/views/stop_areas/_stop_area.html.slim
@@ -2,11 +2,13 @@
   .panel-heading
     .panel-title.clearfix
       span.pull-right
-        = link_to edit_stop_area_referential_stop_area_path(@stop_area_referential, stop_area), class: 'btn btn-default btn-sm' do
-          span.fa.fa-pencil
+        - if policy(stop_area).update?
+          = link_to edit_stop_area_referential_stop_area_path(@stop_area_referential, stop_area), class: 'btn btn-default btn-sm' do
+            span.fa.fa-pencil
 
-        = link_to stop_area_referential_stop_area_path(@stop_area_referential, stop_area), method: :delete, :data => { :confirm => t('stop_areas.actions.destroy_confirm') }, class: 'btn btn-danger btn-sm' do
-          span.fa.fa-trash-o
+        - if policy(stop_area).destroy?
+          = link_to stop_area_referential_stop_area_path(@stop_area_referential, stop_area), method: :delete, :data => { :confirm => t('stop_areas.actions.destroy_confirm') }, class: 'btn btn-danger btn-sm' do
+            span.fa.fa-trash-o
 
       h5
         = link_to([@stop_area_referential, stop_area], class: 'preview', :title => t("area_types.label.#{stop_area.stop_area_type}") + " #{stop_area.name}") do
diff --git a/app/views/stop_areas/index.html.slim b/app/views/stop_areas/index.html.slim
index 6a01bdcb3..b6328c6f9 100644
--- a/app/views/stop_areas/index.html.slim
+++ b/app/views/stop_areas/index.html.slim
@@ -8,7 +8,7 @@
     .panel-heading
       .input-group.col-md-9
         = f.text_field :name_cont, placeholder: "#{t('.name')}", class: 'form-control'
-        
+
         .input-group-btn
           button.btn.btn-default type="submit"
             i.fa.fa-search
@@ -27,6 +27,7 @@
 
 - content_for :sidebar do
   ul.actions
-    li = link_to t('stop_areas.actions.new'), new_stop_area_referential_stop_area_path(@stop_area_referential), class: 'add'
-    li
-      / = link_to t('stop_areas.actions.default_geometry'), default_geometry_referential_stop_areas_path(@stop_area_referential), :method => :put, :class => "calculator"
\ No newline at end of file
+    - if policy(Chouette::StopArea).create?
+      li = link_to t('stop_areas.actions.new'), new_stop_area_referential_stop_area_path(@stop_area_referential), class: 'add'
+
+      / = link_to t('stop_areas.actions.default_geometry'), default_geometry_referential_stop_areas_path(@stop_area_referential), :method => :put, :class => "calculator"
diff --git a/app/views/stop_areas/show.html.slim b/app/views/stop_areas/show.html.slim
index c9d0b67a3..50e535cb5 100644
--- a/app/views/stop_areas/show.html.slim
+++ b/app/views/stop_areas/show.html.slim
@@ -123,9 +123,12 @@ p.after_map
     tr
       td
         ul.actions
-          li = link_to t('stop_areas.actions.new'), new_stop_area_referential_stop_area_path(@stop_area_referential), class: 'add'
-          li = link_to t('stop_areas.actions.edit'), edit_stop_area_referential_stop_area_path(@stop_area_referential, @stop_area), class: 'edit'
-          li = link_to t('stop_areas.actions.destroy'), stop_area_referential_stop_area_path(@stop_area_referential, @stop_area), method: :delete, :data => {:confirm =>  t('stop_areas.actions.destroy_confirm')}, class: 'remove'
+          - if policy(Chouette::StopArea).new?
+            li = link_to t('stop_areas.actions.new'), new_stop_area_referential_stop_area_path(@stop_area_referential), class: 'add'
+          - if policy(@stop_area).update?
+            li = link_to t('stop_areas.actions.edit'), edit_stop_area_referential_stop_area_path(@stop_area_referential, @stop_area), class: 'edit'
+          - if policy(@stop_area).destroy?
+            li = link_to t('stop_areas.actions.destroy'), stop_area_referential_stop_area_path(@stop_area_referential, @stop_area), method: :delete, :data => {:confirm =>  t('stop_areas.actions.destroy_confirm')}, class: 'remove'
 
     - if manage_itl #Fixme
 
diff --git a/public/403.html b/public/403.html
new file mode 100644
index 000000000..34d6e6bad
--- /dev/null
+++ b/public/403.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking is forbidden (403)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/403.html -->
+  <div class="dialog">
+    <div>
+      <h1>The page you were looking is forbidden.</h1>
+    </div>
+  </div>
+</body>
+</html>
diff --git a/spec/policies/stop_area_policy_spec.rb b/spec/policies/stop_area_policy_spec.rb
new file mode 100644
index 000000000..a03c87460
--- /dev/null
+++ b/spec/policies/stop_area_policy_spec.rb
@@ -0,0 +1,4 @@
+require 'rails_helper'
+
+RSpec.describe StopAreaPolicy do
+end