Section 8.8: Restrict actions in TicketsController based on permissions and hide links

Ryan Bigg · Ryan Bigg · commit 0a4290116a5c · 2014-12-10T18:24:21.000+11:00
diff --git a/ticketee/app/helpers/application_helper.rb b/ticketee/app/helpers/application_helper.rb
@@ -10,4 +10,8 @@ def title(*parts)
   def admins_only(&block)
     block.call if current_user.try(:admin?)
   end
+
+  def authorized?(permission, thing, &block)
+    block.call if policy(thing).send("#{permission}?")
+  end
 end
diff --git a/ticketee/app/policies/project_policy.rb b/ticketee/app/policies/project_policy.rb
@@ -7,6 +7,7 @@ def initialize(user, project)
   end
 
   def write?
+    user.admin? ||
     user.permissions.exists?(thing: project, action: :write)
   end
 end
diff --git a/ticketee/app/views/projects/show.html.erb b/ticketee/app/views/projects/show.html.erb
@@ -17,9 +17,9 @@
        class: "delete" %>
 <% end %>
 
-<%= link_to "New Ticket",
-   new_project_ticket_path(@project),
-   class: "new" %>
+<% authorized?(:write, @project) do %>
+  <%= link_to "New Ticket", new_project_ticket_path(@project) %>
+<% end %>
 
 <div class='row'>
   <ul id='tickets'>
diff --git a/ticketee/app/views/tickets/show.html.erb b/ticketee/app/views/tickets/show.html.erb
@@ -1,11 +1,13 @@
 <div id='ticket'>
   <h2><%= @ticket.title %></h2>
-  <%= link_to "Edit Ticket",
-      [:edit, @project, @ticket],
-      class: "edit" %>
-  <%= link_to "Delete Ticket", [@project, @ticket], method: :delete,
-    data: { confirm: "Are you sure you want to delete this ticket?"},
-    class: "delete" %>
+  <%= authorized?("write", @project) do %>
+    <%= link_to "Edit Ticket",
+        [:edit, @project, @ticket],
+        class: "edit" %>
+    <%= link_to "Delete Ticket", [@project, @ticket], method: :delete,
+      data: { confirm: "Are you sure you want to delete this ticket?"},
+      class: "delete" %>
+  <% end %>
   <div id='author'>
     Created by <%= @ticket.author.email %>
   </div>
diff --git a/ticketee/spec/features/hidden_links_spec.rb b/ticketee/spec/features/hidden_links_spec.rb
@@ -4,6 +4,10 @@
   let(:user) { FactoryGirl.create(:user) }
   let(:admin) { FactoryGirl.create(:user, :admin) }
   let(:project) { FactoryGirl.create(:project) }
+  let(:ticket) do
+    FactoryGirl.create(:ticket, project: project,
+                                author: user)
+  end
 
   context "anonymous users" do
     scenario "cannot see the New Project link" do
@@ -38,6 +42,53 @@
       visit project_path(project)
       assert_no_link_for "Delete Project"
     end
+
+    scenario "New ticket link is shown to a user with permission" do
+      define_permission!(user, "read", project)
+      define_permission!(user, "write", project)
+      visit project_path(project)
+      assert_link_for "New Ticket"
+    end
+
+    scenario "New ticket link is hidden from a user without permission" do
+      define_permission!(user, "read", project)
+      visit project_path(project)
+      assert_no_link_for "New Ticket"
+    end
+
+    scenario "Edit ticket link is shown to a user with permission" do
+      ticket
+      define_permission!(user, "read", project)
+      define_permission!(user, "write", project)
+      visit project_path(project)
+      click_link ticket.title
+      assert_link_for "Edit Ticket"
+    end
+
+    scenario "Edit ticket link is hidden from a user without permission" do
+      ticket
+      define_permission!(user, "read", project)
+      visit project_path(project)
+      click_link ticket.title
+      assert_no_link_for "Edit Ticket"
+    end
+
+    scenario "Delete ticket link is shown to a user with permission" do
+      ticket
+      define_permission!(user, "read", project)
+      define_permission!(user, "write", project)
+      visit project_path(project)
+      click_link ticket.title
+      assert_link_for "Delete Ticket"
+    end
+
+    scenario "Delete ticket link is hidden from users without permission" do
+      ticket
+      define_permission!(user, "read", project)
+      visit project_path(project)
+      click_link ticket.title
+      assert_no_link_for "Delete Ticket"
+    end
   end
 
   context "admin users" do
@@ -56,5 +107,24 @@
       visit project_path(project)
       assert_link_for "Delete Project"
     end
+
+    scenario "New ticket link is shown to admins" do
+      visit project_path(project)
+      assert_link_for "New Ticket"
+    end
+
+    scenario "Edit ticket link is shown to admins" do
+      ticket
+      visit project_path(project)
+      click_link ticket.title
+      assert_link_for "Edit Ticket"
+    end
+
+    scenario "Delete ticket link is shown to admins" do
+      ticket
+      visit project_path(project)
+      click_link ticket.title
+      assert_link_for "Delete Ticket"
+    end
   end
 end
