Section 8.3.5: Don’t show projects that a user doesn't have permission to see

Ryan Bigg · Ryan Bigg · commit 527445747fe9 · 2014-12-09T08:29:29.000+11:00
diff --git a/ticketee/app/controllers/application_controller.rb b/ticketee/app/controllers/application_controller.rb
@@ -5,6 +5,10 @@ class ApplicationController < ActionController::Base
 
   private
 
+  def after_sign_out_path_for(resource_or_scope)
+    new_user_session_path
+  end
+
   def authorize_admin!
     authenticate_user!
 
diff --git a/ticketee/app/controllers/projects_controller.rb b/ticketee/app/controllers/projects_controller.rb
@@ -1,12 +1,12 @@
 class ProjectsController < ApplicationController
   before_action :authorize_admin!, except: [:index, :show]
-  before_action :authenticate_user!, only: [:show]
+  before_action :authenticate_user!, only: [:index, :show]
   before_action :set_project, only: [:show,
                                      :edit,
                                      :update,
                                      :destroy]
   def index
-    @projects = Project.all
+    @projects = Project.for(current_user)
   end
 
   def new
@@ -46,11 +46,7 @@ def destroy
   private
 
   def set_project
-    @project = if current_user.admin?
-      Project.find(params[:id])
-    else
-      Project.readable_by(current_user).find(params[:id])
-    end
+    @project = Project.for(current_user).find(params[:id])
   rescue ActiveRecord::RecordNotFound
     flash[:alert] = "The project you were looking" +
                     " for could not be found."
diff --git a/ticketee/app/models/project.rb b/ticketee/app/models/project.rb
@@ -9,4 +9,8 @@ class Project < ActiveRecord::Base
     joins(:permissions).where(permissions: { action: "read",
                                              user_id: user.id })
   end
+
+  scope :for, ->(user) do
+    user.admin? ? all : readable_by(user)
+  end
 end
diff --git a/ticketee/spec/features/signing_up_spec.rb b/ticketee/spec/features/signing_up_spec.rb
@@ -3,7 +3,9 @@
 feature "Sign up" do
   it "a user can sign up" do
     visit "/"
-    click_link "Sign up"
+    within("nav") do
+      click_link "Sign up"
+    end
     fill_in "Email", with: "test@example.com"
     fill_in "user_password", with: "password"
     fill_in "Password confirmation", with: "password"
diff --git a/ticketee/spec/features/viewing_projects_spec.rb b/ticketee/spec/features/viewing_projects_spec.rb
@@ -10,7 +10,9 @@
   end
 
   scenario "Listing all projects" do
+    FactoryGirl.create(:project, name: "Hidden")
     visit "/"
+    expect(page).to_not have_content("Hidden")
     click_link project.name
 
     expect(page.current_url).to eql(project_url(project))
