11 files changed, 99 insertions, 21 deletions

diff --git a/app/policies/acces_point_policy.rb b/app/policies/acces_point_policy.rb
new file mode 100644
index 000000000..4f604693c
--- /dev/null
+++ b/app/policies/acces_point_policy.rb
@@ -0,0 +1,22 @@
+class AccessPointPolicy < ApplicationPolicy
+  class Scope < Scope
+    def resolve
+      scope
+    end
+  end
+
+  def create?
+    user.has_permission?('access_points.create') # organisation match via referential is checked in the view
+  end
+
+  def edit?
+    organisation_match?(via_referential: true) && user.has_permission?('access_points.edit')
+  end
+
+  def destroy?
+    organisation_match?(via_referential: true) && user.has_permission?('access_points.destroy')
+  end
+
+  def update?  ; edit? end
+  def new?     ; create? end
+end
diff --git a/app/policies/access_link_policy.rb b/app/policies/access_link_policy.rb
new file mode 100644
index 000000000..8e7a86490
--- /dev/null
+++ b/app/policies/access_link_policy.rb
@@ -0,0 +1,22 @@
+class AccessLinkPolicy < ApplicationPolicy
+  class Scope < Scope
+    def resolve
+      scope
+    end
+  end
+
+  def create?
+    user.has_permission?('access_links.create') # organisation match via referential is checked in the view
+  end
+
+  def edit?
+    organisation_match?(via_referential: true) && user.has_permission?('access_links.edit')
+  end
+
+  def destroy?
+    organisation_match?(via_referential: true) && user.has_permission?('access_links.destroy')
+  end
+
+  def update?  ; edit? end
+  def new?     ; create? end
+end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index 2a0bbc521..07138b38e 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -38,6 +38,10 @@ class ApplicationPolicy
     Pundit.policy_scope!(user, record.class)
   end
 
+  def organisation_match?(via_referential: false)
+    eval("user.organisation == record#{'.referential' if via_referential}.organisation")
+  end
+
   class Scope
     attr_reader :user, :scope
 
diff --git a/app/policies/calendar_policy.rb b/app/policies/calendar_policy.rb
index 3b17679f1..4248bccc7 100644
--- a/app/policies/calendar_policy.rb
+++ b/app/policies/calendar_policy.rb
@@ -24,8 +24,4 @@ class CalendarPolicy < ApplicationPolicy
   def modify?
     organisation_match?
   end
-
-  def organisation_match?
-    user.organisation == record.organisation
-  end
 end
diff --git a/app/policies/connection_link_policy.rb b/app/policies/connection_link_policy.rb
new file mode 100644
index 000000000..cc49f575f
--- /dev/null
+++ b/app/policies/connection_link_policy.rb
@@ -0,0 +1,22 @@
+class ConnectionLinkPolicy < ApplicationPolicy
+  class Scope < Scope
+    def resolve
+      scope
+    end
+  end
+
+  def create?
+    user.has_permission?('connection_links.create') # organisation match via referential is checked in the view
+  end
+
+  def edit?
+    organisation_match?(via_referential: true) && user.has_permission?('connection_links.edit')
+  end
+
+  def destroy?
+    organisation_match?(via_referential: true) && user.has_permission?('connection_links.destroy')
+  end
+
+  def update?  ; edit? end
+  def new?     ; create? end
+end
diff --git a/app/policies/journey_pattern_policy.rb b/app/policies/journey_pattern_policy.rb
index 95ab23318..a11fd6bcc 100644
--- a/app/policies/journey_pattern_policy.rb
+++ b/app/policies/journey_pattern_policy.rb
@@ -6,17 +6,18 @@ class JourneyPatternPolicy < ApplicationPolicy
   end
 
   def create?
-    user.has_permission?('journey_patterns.create')
+    user.has_permission?('journey_patterns.create') # organisation match via referential is checked in the view
   end
 
   def edit?
-    user.has_permission?('journey_patterns.edit')
+    organisation_match?(via_referential: true) && user.has_permission?('journey_patterns.edit')
   end
 
   def destroy?
-    user.has_permission?('journey_patterns.destroy')
+    organisation_match?(via_referential: true) && user.has_permission?('journey_patterns.destroy')
   end
 
   def update?  ; edit? end
   def new?     ; create? end
 end
+
diff --git a/app/policies/referential_policy.rb b/app/policies/referential_policy.rb
index ddf5188a0..074aaec8b 100644
--- a/app/policies/referential_policy.rb
+++ b/app/policies/referential_policy.rb
@@ -5,9 +5,20 @@ class ReferentialPolicy < ApplicationPolicy
     end
   end
 
+  def create?
+    true
+  end
+
+  def edit?
+    organisation_match?
+  end
+
   def update?
-    !record.archived?
+    edit? && !record.archived?
   end
 
-  def edit? ; update? end
+  def new?     ; create? end
+  def destroy? ; edit? end
 end
+
+
diff --git a/app/policies/route_policy.rb b/app/policies/route_policy.rb
index 232706d8f..0f42b7f08 100644
--- a/app/policies/route_policy.rb
+++ b/app/policies/route_policy.rb
@@ -6,15 +6,15 @@ class RoutePolicy < ApplicationPolicy
   end
 
   def create?
-    user.has_permission?('routes.create')
+    user.has_permission?('routes.create') # organisation match via referential is checked in the view
   end
 
   def edit?
-    user.has_permission?('routes.edit')
+    organisation_match?(via_referential: true) && user.has_permission?('routes.edit')
   end
 
   def destroy?
-    user.has_permission?('routes.destroy')
+    organisation_match?(via_referential: true) && user.has_permission?('routes.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/routing_constraint_zone_policy.rb b/app/policies/routing_constraint_zone_policy.rb
index 3de5080f6..fbf322066 100644
--- a/app/policies/routing_constraint_zone_policy.rb
+++ b/app/policies/routing_constraint_zone_policy.rb
@@ -6,15 +6,15 @@ class RoutingConstraintZonePolicy < ApplicationPolicy
   end
 
   def create?
-    user.has_permission?('routing_constraint_zones.create')
+    user.has_permission?('routing_constraint_zones.create') # organisation match via referential is checked in the view
   end
 
   def edit?
-    user.has_permission?('routing_constraint_zones.edit')
+    organisation_match?(via_referential: true) && user.has_permission?('routing_constraint_zones.edit')
   end
 
   def destroy?
-    user.has_permission?('routing_constraint_zones.destroy')
+    organisation_match?(via_referential: true) && user.has_permission?('routing_constraint_zones.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/time_table_policy.rb b/app/policies/time_table_policy.rb
index 7328748c2..1d14c646a 100644
--- a/app/policies/time_table_policy.rb
+++ b/app/policies/time_table_policy.rb
@@ -6,15 +6,15 @@ class TimeTablePolicy < ApplicationPolicy
   end
 
   def create?
-    user.has_permission?('time_tables.create')
+    user.has_permission?('time_tables.create') # organisation match via referential is checked in the view
   end
 
   def edit?
-    user.has_permission?('time_tables.edit')
+    organisation_match?(via_referential: true) && user.has_permission?('time_tables.edit')
   end
 
   def destroy?
-    user.has_permission?('time_tables.destroy')
+    organisation_match?(via_referential: true) && user.has_permission?('time_tables.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/vehicle_journey_policy.rb b/app/policies/vehicle_journey_policy.rb
index 7aa19f1a2..785c2bb1f 100644
--- a/app/policies/vehicle_journey_policy.rb
+++ b/app/policies/vehicle_journey_policy.rb
@@ -6,15 +6,15 @@ class VehicleJourneyPolicy < ApplicationPolicy
   end
 
   def create?
-    user.has_permission?('vehicle_journeys.create')
+    user.has_permission?('vehicle_journeys.create') # organisation match via referential is checked in the view
   end
 
   def edit?
-    user.has_permission?('vehicle_journeys.edit')
+    organisation_match?(via_referential: true) && user.has_permission?('vehicle_journeys.edit')
   end
 
   def destroy?
-    user.has_permission?('vehicle_journeys.destroy')
+    organisation_match?(via_referential: true) && user.has_permission?('vehicle_journeys.destroy')
   end
 
   def update?  ; edit? end