diff options
| -rw-r--r-- | Gemfile | 3 | ||||
| -rw-r--r-- | Gemfile.lock | 3 | ||||
| -rw-r--r-- | app/controllers/application_controller.rb | 8 | ||||
| -rw-r--r-- | app/controllers/stop_areas_controller.rb | 9 | ||||
| -rw-r--r-- | app/policies/application_policy.rb | 53 | ||||
| -rw-r--r-- | app/policies/stop_area_policy.rb | 15 | ||||
| -rw-r--r-- | app/views/stop_areas/_stop_area.html.slim | 10 | ||||
| -rw-r--r-- | app/views/stop_areas/index.html.slim | 9 | ||||
| -rw-r--r-- | app/views/stop_areas/show.html.slim | 9 | ||||
| -rw-r--r-- | public/403.html | 65 | ||||
| -rw-r--r-- | spec/policies/stop_area_policy_spec.rb | 4 |
11 files changed, 177 insertions, 11 deletions
@@ -59,6 +59,9 @@ gem 'devise_cas_authenticatable' gem 'devise-encryptable' gem 'devise_invitable' +# Authorization +gem 'pundit' + # Map, Geolocalization gem 'map_layers', '0.0.4' gem 'rgeo', '~> 0.5.2' diff --git a/Gemfile.lock b/Gemfile.lock index 3be6ce7d3..f3caa6c16 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -325,6 +325,8 @@ GEM spoon (~> 0.0) pry-rails (0.3.4) pry (>= 0.9.10) + pundit (1.1.0) + activesupport (>= 3.0.0) quiet_assets (1.1.0) railties (>= 3.1, < 5.0) rabl (0.11.6) @@ -612,6 +614,7 @@ DEPENDENCIES poltergeist polylines pry-rails + pundit quiet_assets (~> 1.0) rabl rails (~> 4.1.10) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index fa3874632..c2414f5bb 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,9 +1,13 @@ class ApplicationController < ActionController::Base + include Pundit + rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized + # TODO : Delete hack to authorize Cross Request for js and json get request from javascript protect_from_forgery unless: -> { request.get? && (request.format.json? || request.format.js?) } before_action :authenticate_user! before_action :set_locale + # Load helpers in rails engine helper LanguageEngine::Engine.helpers @@ -13,6 +17,10 @@ class ApplicationController < ActionController::Base protected + def user_not_authorized + render :file => "#{Rails.root}/public/403.html", :status => :forbidden, :layout => false + end + def current_organisation current_user.organisation if current_user end diff --git a/app/controllers/stop_areas_controller.rb b/app/controllers/stop_areas_controller.rb index b37709e84..90820d932 100644 --- a/app/controllers/stop_areas_controller.rb +++ b/app/controllers/stop_areas_controller.rb @@ -63,6 +63,7 @@ class StopAreasController < BreadcrumbController end def new + authorize Chouette::StopArea @map = StopAreaMap.new( Chouette::StopArea.new).with_helpers(self) @map.editable = true new! do @@ -71,6 +72,7 @@ class StopAreasController < BreadcrumbController end def create + authorize Chouette::StopArea @map = StopAreaMap.new( Chouette::StopArea.new).with_helpers(self) @map.editable = true @@ -92,6 +94,7 @@ class StopAreasController < BreadcrumbController end def edit + authorize stop_area edit! do stop_area.position ||= stop_area.default_position map.editable = true @@ -99,7 +102,13 @@ class StopAreasController < BreadcrumbController end end + def destroy + authorize stop_area + super + end + def update + authorize stop_area stop_area.position ||= stop_area.default_position map.editable = true diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb new file mode 100644 index 000000000..2a0bbc521 --- /dev/null +++ b/app/policies/application_policy.rb @@ -0,0 +1,53 @@ +class ApplicationPolicy + attr_reader :user, :record + + def initialize(user, record) + @user = user + @record = record + end + + def index? + false + end + + def show? + scope.where(:id => record.id).exists? + end + + def create? + false + end + + def new? + create? + end + + def update? + false + end + + def edit? + update? + end + + def destroy? + false + end + + def scope + Pundit.policy_scope!(user, record.class) + end + + class Scope + attr_reader :user, :scope + + def initialize(user, scope) + @user = user + @scope = scope + end + + def resolve + scope + end + end +end diff --git a/app/policies/stop_area_policy.rb b/app/policies/stop_area_policy.rb new file mode 100644 index 000000000..4fa426ff6 --- /dev/null +++ b/app/policies/stop_area_policy.rb @@ -0,0 +1,15 @@ +class StopAreaPolicy < ApplicationPolicy + class Scope < Scope + def resolve + scope + end + end + + def create? + false + end + def update? ; create? end + def new? ; create? end + def edit? ; create? end + def destroy? ; create? end +end diff --git a/app/views/stop_areas/_stop_area.html.slim b/app/views/stop_areas/_stop_area.html.slim index 15f9e4452..39cb09660 100644 --- a/app/views/stop_areas/_stop_area.html.slim +++ b/app/views/stop_areas/_stop_area.html.slim @@ -2,11 +2,13 @@ .panel-heading .panel-title.clearfix span.pull-right - = link_to edit_stop_area_referential_stop_area_path(@stop_area_referential, stop_area), class: 'btn btn-default btn-sm' do - span.fa.fa-pencil + - if policy(stop_area).update? + = link_to edit_stop_area_referential_stop_area_path(@stop_area_referential, stop_area), class: 'btn btn-default btn-sm' do + span.fa.fa-pencil - = link_to stop_area_referential_stop_area_path(@stop_area_referential, stop_area), method: :delete, :data => { :confirm => t('stop_areas.actions.destroy_confirm') }, class: 'btn btn-danger btn-sm' do - span.fa.fa-trash-o + - if policy(stop_area).destroy? + = link_to stop_area_referential_stop_area_path(@stop_area_referential, stop_area), method: :delete, :data => { :confirm => t('stop_areas.actions.destroy_confirm') }, class: 'btn btn-danger btn-sm' do + span.fa.fa-trash-o h5 = link_to([@stop_area_referential, stop_area], class: 'preview', :title => t("area_types.label.#{stop_area.stop_area_type}") + " #{stop_area.name}") do diff --git a/app/views/stop_areas/index.html.slim b/app/views/stop_areas/index.html.slim index 6a01bdcb3..b6328c6f9 100644 --- a/app/views/stop_areas/index.html.slim +++ b/app/views/stop_areas/index.html.slim @@ -8,7 +8,7 @@ .panel-heading .input-group.col-md-9 = f.text_field :name_cont, placeholder: "#{t('.name')}", class: 'form-control' - + .input-group-btn button.btn.btn-default type="submit" i.fa.fa-search @@ -27,6 +27,7 @@ - content_for :sidebar do ul.actions - li = link_to t('stop_areas.actions.new'), new_stop_area_referential_stop_area_path(@stop_area_referential), class: 'add' - li - / = link_to t('stop_areas.actions.default_geometry'), default_geometry_referential_stop_areas_path(@stop_area_referential), :method => :put, :class => "calculator"
\ No newline at end of file + - if policy(Chouette::StopArea).create? + li = link_to t('stop_areas.actions.new'), new_stop_area_referential_stop_area_path(@stop_area_referential), class: 'add' + + / = link_to t('stop_areas.actions.default_geometry'), default_geometry_referential_stop_areas_path(@stop_area_referential), :method => :put, :class => "calculator" diff --git a/app/views/stop_areas/show.html.slim b/app/views/stop_areas/show.html.slim index c9d0b67a3..50e535cb5 100644 --- a/app/views/stop_areas/show.html.slim +++ b/app/views/stop_areas/show.html.slim @@ -123,9 +123,12 @@ p.after_map tr td ul.actions - li = link_to t('stop_areas.actions.new'), new_stop_area_referential_stop_area_path(@stop_area_referential), class: 'add' - li = link_to t('stop_areas.actions.edit'), edit_stop_area_referential_stop_area_path(@stop_area_referential, @stop_area), class: 'edit' - li = link_to t('stop_areas.actions.destroy'), stop_area_referential_stop_area_path(@stop_area_referential, @stop_area), method: :delete, :data => {:confirm => t('stop_areas.actions.destroy_confirm')}, class: 'remove' + - if policy(Chouette::StopArea).new? + li = link_to t('stop_areas.actions.new'), new_stop_area_referential_stop_area_path(@stop_area_referential), class: 'add' + - if policy(@stop_area).update? + li = link_to t('stop_areas.actions.edit'), edit_stop_area_referential_stop_area_path(@stop_area_referential, @stop_area), class: 'edit' + - if policy(@stop_area).destroy? + li = link_to t('stop_areas.actions.destroy'), stop_area_referential_stop_area_path(@stop_area_referential, @stop_area), method: :delete, :data => {:confirm => t('stop_areas.actions.destroy_confirm')}, class: 'remove' - if manage_itl #Fixme diff --git a/public/403.html b/public/403.html new file mode 100644 index 000000000..34d6e6bad --- /dev/null +++ b/public/403.html @@ -0,0 +1,65 @@ +<!DOCTYPE html> +<html> +<head> + <title>The page you were looking is forbidden (403)</title> + <meta name="viewport" content="width=device-width,initial-scale=1"> + <style> + body { + background-color: #EFEFEF; + color: #2E2F30; + text-align: center; + font-family: arial, sans-serif; + margin: 0; + } + + div.dialog { + width: 95%; + max-width: 33em; + margin: 4em auto 0; + } + + div.dialog > div { + border: 1px solid #CCC; + border-right-color: #999; + border-left-color: #999; + border-bottom-color: #BBB; + border-top: #B00100 solid 4px; + border-top-left-radius: 9px; + border-top-right-radius: 9px; + background-color: white; + padding: 7px 12% 0; + box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17); + } + + h1 { + font-size: 100%; + color: #730E15; + line-height: 1.5em; + } + + div.dialog > p { + margin: 0 0 1em; + padding: 1em; + background-color: #F7F7F7; + border: 1px solid #CCC; + border-right-color: #999; + border-left-color: #999; + border-bottom-color: #999; + border-bottom-left-radius: 4px; + border-bottom-right-radius: 4px; + border-top-color: #DADADA; + color: #666; + box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17); + } + </style> +</head> + +<body> + <!-- This file lives in public/403.html --> + <div class="dialog"> + <div> + <h1>The page you were looking is forbidden.</h1> + </div> + </div> +</body> +</html> diff --git a/spec/policies/stop_area_policy_spec.rb b/spec/policies/stop_area_policy_spec.rb new file mode 100644 index 000000000..a03c87460 --- /dev/null +++ b/spec/policies/stop_area_policy_spec.rb @@ -0,0 +1,4 @@ +require 'rails_helper' + +RSpec.describe StopAreaPolicy do +end |