Section 8.5.3: Restrict creating tickets to only users who have permissions to do it

Ryan Bigg · Ryan Bigg · commit 9dd874477d4a · 2014-12-09T20:29:42.000+11:00
diff --git a/ticketee/Gemfile b/ticketee/Gemfile
@@ -27,6 +27,7 @@ gem 'bootstrap-sass', '~> 3.3'
 gem 'font-awesome-rails', '~> 4.2'
 gem 'simple_form', '3.1.0'
 gem 'devise', '~> 3.4.1'
+gem 'pundit', '~> 0.3.0'
 
 # Use ActiveModel has_secure_password
 # gem 'bcrypt', '~> 3.1.7'
diff --git a/ticketee/Gemfile.lock b/ticketee/Gemfile.lock
@@ -103,6 +103,8 @@ GEM
     nokogiri (1.6.5)
       mini_portile (~> 0.6.0)
     orm_adapter (0.5.0)
+    pundit (0.3.0)
+      activesupport (>= 3.0.0)
     rack (1.6.0.beta2)
     rack-test (0.6.2)
       rack (>= 1.0)
@@ -208,6 +210,7 @@ DEPENDENCIES
   font-awesome-rails (~> 4.2)
   jbuilder (~> 2.0)
   jquery-rails (~> 4.0.0.beta2)
+  pundit (~> 0.3.0)
   rails (= 4.2.0.rc1)
   rspec-rails (~> 3.1.0)
   sass-rails (~> 5.0.0.beta1)
diff --git a/ticketee/app/controllers/application_controller.rb b/ticketee/app/controllers/application_controller.rb
@@ -1,4 +1,7 @@
 class ApplicationController < ActionController::Base
+  include Pundit
+
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception
@@ -17,4 +20,9 @@ def authorize_admin!
       redirect_to root_path
     end
   end
+
+  def user_not_authorized
+    flash[:alert] = "You don't have permission to do that."
+    redirect_to(root_path)
+  end
 end
diff --git a/ticketee/app/controllers/tickets_controller.rb b/ticketee/app/controllers/tickets_controller.rb
@@ -4,10 +4,12 @@ class TicketsController < ApplicationController
   before_action :set_ticket, only: [:show, :edit, :update, :destroy]
 
   def new
+    authorize @project, :write?
     @ticket = @project.tickets.build
   end
 
   def create
+    authorize @project, :write?
     @ticket = @project.tickets.build(ticket_params)
     @ticket.author = current_user
 
diff --git a/ticketee/app/models/user.rb b/ticketee/app/models/user.rb
@@ -4,6 +4,8 @@ class User < ActiveRecord::Base
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable
 
+  has_many :permissions
+
   def to_s
     "#{email} (#{admin? ? "Admin" : "User"})"
   end
diff --git a/ticketee/app/policies/application_policy.rb b/ticketee/app/policies/application_policy.rb
@@ -0,0 +1,54 @@
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    scope.where(:id => record.id).exists?
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  def scope
+    Pundit.policy_scope!(user, record.class)
+  end
+
+  class Scope
+    attr_reader :user, :scope
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      scope
+    end
+  end
+end
+
diff --git a/ticketee/app/policies/project_policy.rb b/ticketee/app/policies/project_policy.rb
@@ -0,0 +1,12 @@
+class ProjectPolicy < ApplicationPolicy
+  attr_reader :user, :project
+
+  def initialize(user, project)
+    @user = user
+    @project = project
+  end
+
+  def write?
+    user.permissions.exists?(thing: project, action: :write)
+  end
+end
diff --git a/ticketee/spec/controllers/tickets_controller_spec.rb b/ticketee/spec/controllers/tickets_controller_spec.rb
@@ -20,5 +20,29 @@
       expect(flash[:alert]).to eql("The project you were looking " +
                                    "for could not be found.")
     end
+
+    context "with permission to read the project" do
+      before do
+        define_permission!(user, "read", project)
+      end
+
+      context "but without permission to write" do
+        def assert_no_permission!
+          expect(response).to redirect_to(root_path)
+          message = "You don't have permission to do that."
+          expect(flash[:alert]).to eql(message)
+        end
+
+        it "cannot begin to create a ticket" do
+          get :new, project_id: project.id
+          assert_no_permission!
+        end
+
+        it "cannot create a ticket without permission" do
+          post :create, project_id: project.id
+          assert_no_permission!
+        end
+      end
+    end
   end
 end
diff --git a/ticketee/spec/features/creating_tickets_spec.rb b/ticketee/spec/features/creating_tickets_spec.rb
@@ -6,6 +6,7 @@
     login_as(user)
     project = FactoryGirl.create(:project, name: "Internet Explorer")
     define_permission!(user, "read", project)
+    define_permission!(user, "write", project)
 
     visit '/'
     click_link project.name
diff --git a/ticketee/spec/spec_helper.rb b/ticketee/spec/spec_helper.rb
@@ -1,3 +1,4 @@
+require "pundit/rspec"
 # This file was generated by the `rails generate rspec:install` command. Conventionally, all
 # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
 # The generated `.rspec` file contains `--require spec_helper` which will cause this

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+require "pundit/rspec"`
`1`	`2`	# This file was generated by the `rails generate rspec:install` command. Conventionally, all
`2`	`3`	# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
`3`	`4`	# The generated `.rspec` file contains `--require spec_helper` which will cause this