11 files changed, 48 insertions, 24 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index c2414f5bb..2bdf8078a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -15,6 +15,10 @@ class ApplicationController < ActionController::Base
     I18n.locale = session[:language] || I18n.default_locale
   end
 
+  def pundit_user
+    UserContext.new(current_user, referential: self.try(:current_referential))
+  end
+
   protected
 
   def user_not_authorized
diff --git a/app/models/user_context.rb b/app/models/user_context.rb
new file mode 100644
index 000000000..e0a856e4b
--- /dev/null
+++ b/app/models/user_context.rb
@@ -0,0 +1,8 @@
+class UserContext
+  attr_reader :user, :context
+
+  def initialize(user, context = {})
+    @user = user
+    @context = context
+  end
+end
diff --git a/app/policies/acces_point_policy.rb b/app/policies/acces_point_policy.rb
index 4f604693c..904b7a242 100644
--- a/app/policies/acces_point_policy.rb
+++ b/app/policies/acces_point_policy.rb
@@ -10,11 +10,11 @@ class AccessPointPolicy < ApplicationPolicy
   end
 
   def edit?
-    organisation_match?(via_referential: true) && user.has_permission?('access_points.edit')
+    organisation_match? && user.has_permission?('access_points.edit')
   end
 
   def destroy?
-    organisation_match?(via_referential: true) && user.has_permission?('access_points.destroy')
+    organisation_match? && user.has_permission?('access_points.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/access_link_policy.rb b/app/policies/access_link_policy.rb
index 8e7a86490..73b2d1baa 100644
--- a/app/policies/access_link_policy.rb
+++ b/app/policies/access_link_policy.rb
@@ -10,11 +10,11 @@ class AccessLinkPolicy < ApplicationPolicy
   end
 
   def edit?
-    organisation_match?(via_referential: true) && user.has_permission?('access_links.edit')
+    organisation_match? && user.has_permission?('access_links.edit')
   end
 
   def destroy?
-    organisation_match?(via_referential: true) && user.has_permission?('access_links.destroy')
+    organisation_match? && user.has_permission?('access_links.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index 07138b38e..4a2d760fb 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -1,11 +1,21 @@
 class ApplicationPolicy
   attr_reader :user, :record
 
-  def initialize(user, record)
-    @user = user
+  def initialize(user_context, record)
+    @user = user_context.user
+    @referential = user_context.context[:referential]
     @record = record
   end
 
+  attr_accessor :referential
+  def referential
+    @referential ||= record_referential
+  end
+
+  def record_referential
+    record.referential if record.respond_to?(:referential)
+  end
+
   def index?
     false
   end
@@ -38,8 +48,14 @@ class ApplicationPolicy
     Pundit.policy_scope!(user, record.class)
   end
 
-  def organisation_match?(via_referential: false)
-    eval("user.organisation == record#{'.referential' if via_referential}.organisation")
+  def organisation_match?
+    user.organisation == organisation
+  end
+
+  def organisation
+    # When sending permission to react UI, we don't have access to record object for edit & destroy.. actions
+    organisation = record.is_a?(Symbol) ? nil : record.try(:organisation)
+    organisation or referential.try :organisation
   end
 
   class Scope
diff --git a/app/policies/connection_link_policy.rb b/app/policies/connection_link_policy.rb
index cc49f575f..abefd741c 100644
--- a/app/policies/connection_link_policy.rb
+++ b/app/policies/connection_link_policy.rb
@@ -10,11 +10,11 @@ class ConnectionLinkPolicy < ApplicationPolicy
   end
 
   def edit?
-    organisation_match?(via_referential: true) && user.has_permission?('connection_links.edit')
+    organisation_match? && user.has_permission?('connection_links.edit')
   end
 
   def destroy?
-    organisation_match?(via_referential: true) && user.has_permission?('connection_links.destroy')
+    organisation_match? && user.has_permission?('connection_links.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/journey_pattern_policy.rb b/app/policies/journey_pattern_policy.rb
index 2b5e4c6cd..56f32613c 100644
--- a/app/policies/journey_pattern_policy.rb
+++ b/app/policies/journey_pattern_policy.rb
@@ -11,15 +11,11 @@ class JourneyPatternPolicy < ApplicationPolicy
   end
 
   def edit?
-    # In React UI, we don't have access to record object yet.
-    # In this case record is a symbol
-    can_edit = user.has_permission?('journey_patterns.edit')
-    record.is_a?(Symbol) ? can_edit : (organisation_match?(via_referential: true) && can_edit)
+    organisation_match? && user.has_permission?('journey_patterns.edit')
   end
 
   def destroy?
-    can_destroy = user.has_permission?('journey_patterns.destroy')
-    record.is_a?(Symbol) ? can_destroy : (organisation_match?(via_referential: true) && can_destroy)
+    organisation_match? && user.has_permission?('journey_patterns.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/route_policy.rb b/app/policies/route_policy.rb
index 0f42b7f08..c4d048f2a 100644
--- a/app/policies/route_policy.rb
+++ b/app/policies/route_policy.rb
@@ -10,11 +10,11 @@ class RoutePolicy < ApplicationPolicy
   end
 
   def edit?
-    organisation_match?(via_referential: true) && user.has_permission?('routes.edit')
+    organisation_match? && user.has_permission?('routes.edit')
   end
 
   def destroy?
-    organisation_match?(via_referential: true) && user.has_permission?('routes.destroy')
+    organisation_match? && user.has_permission?('routes.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/routing_constraint_zone_policy.rb b/app/policies/routing_constraint_zone_policy.rb
index fbf322066..3126241f0 100644
--- a/app/policies/routing_constraint_zone_policy.rb
+++ b/app/policies/routing_constraint_zone_policy.rb
@@ -10,11 +10,11 @@ class RoutingConstraintZonePolicy < ApplicationPolicy
   end
 
   def edit?
-    organisation_match?(via_referential: true) && user.has_permission?('routing_constraint_zones.edit')
+    organisation_match? && user.has_permission?('routing_constraint_zones.edit')
   end
 
   def destroy?
-    organisation_match?(via_referential: true) && user.has_permission?('routing_constraint_zones.destroy')
+    organisation_match? && user.has_permission?('routing_constraint_zones.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/time_table_policy.rb b/app/policies/time_table_policy.rb
index 1d14c646a..6ca02f451 100644
--- a/app/policies/time_table_policy.rb
+++ b/app/policies/time_table_policy.rb
@@ -10,11 +10,11 @@ class TimeTablePolicy < ApplicationPolicy
   end
 
   def edit?
-    organisation_match?(via_referential: true) && user.has_permission?('time_tables.edit')
+    organisation_match? && user.has_permission?('time_tables.edit')
   end
 
   def destroy?
-    organisation_match?(via_referential: true) && user.has_permission?('time_tables.destroy')
+    organisation_match? && user.has_permission?('time_tables.destroy')
   end
 
   def update?  ; edit? end
diff --git a/app/policies/vehicle_journey_policy.rb b/app/policies/vehicle_journey_policy.rb
index 785c2bb1f..ae3680adf 100644
--- a/app/policies/vehicle_journey_policy.rb
+++ b/app/policies/vehicle_journey_policy.rb
@@ -10,11 +10,11 @@ class VehicleJourneyPolicy < ApplicationPolicy
   end
 
   def edit?
-    organisation_match?(via_referential: true) && user.has_permission?('vehicle_journeys.edit')
+    organisation_match? && user.has_permission?('vehicle_journeys.edit')
   end
 
   def destroy?
-    organisation_match?(via_referential: true) && user.has_permission?('vehicle_journeys.destroy')
+    organisation_match? && user.has_permission?('vehicle_journeys.destroy')
   end
 
   def update?  ; edit? end