Section 8.3.2: Make projects only visible to users with permission to see them

Ryan Bigg · Ryan Bigg · commit d34c458619ff · 2014-12-09T08:29:27.000+11:00
diff --git a/ticketee/app/controllers/projects_controller.rb b/ticketee/app/controllers/projects_controller.rb
@@ -1,5 +1,6 @@
 class ProjectsController < ApplicationController
   before_action :authorize_admin!, except: [:index, :show]
+  before_action :authenticate_user!, only: [:show]
   before_action :set_project, only: [:show,
                                      :edit,
                                      :update,
@@ -45,7 +46,11 @@ def destroy
   private
 
   def set_project
-    @project = Project.find(params[:id])
+    @project = if current_user.admin?
+      Project.find(params[:id])
+    else
+      Project.readable_by(current_user).find(params[:id])
+    end
   rescue ActiveRecord::RecordNotFound
     flash[:alert] = "The project you were looking" +
                     " for could not be found."
diff --git a/ticketee/app/models/permission.rb b/ticketee/app/models/permission.rb
@@ -0,0 +1,4 @@
+class Permission < ActiveRecord::Base
+  belongs_to :user
+  belongs_to :thing, polymorphic: true
+end
diff --git a/ticketee/app/models/project.rb b/ticketee/app/models/project.rb
@@ -2,4 +2,11 @@ class Project < ActiveRecord::Base
   validates :name, presence: true
 
   has_many :tickets, dependent: :delete_all
+
+  has_many :permissions, as: :thing
+
+  scope :readable_by, -> (user) do
+    joins(:permissions).where(permissions: { action: "read",
+                                             user_id: user.id })
+  end
 end
diff --git a/ticketee/db/migrate/20141207214915_create_permissions.rb b/ticketee/db/migrate/20141207214915_create_permissions.rb
@@ -0,0 +1,12 @@
+class CreatePermissions < ActiveRecord::Migration
+  def change
+    create_table :permissions do |t|
+      t.integer :user_id
+      t.integer :thing_id
+      t.string :thing_type
+      t.string :action
+
+      t.timestamps null: false
+    end
+  end
+end
diff --git a/ticketee/db/schema.rb b/ticketee/db/schema.rb
@@ -11,7 +11,16 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20141206010551) do
+ActiveRecord::Schema.define(version: 20141207214915) do
+
+  create_table "permissions", force: true do |t|
+    t.integer  "user_id"
+    t.integer  "thing_id"
+    t.string   "thing_type"
+    t.string   "action"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
 
   create_table "projects", force: true do |t|
     t.string   "name"
diff --git a/ticketee/spec/controllers/projects_controller_spec.rb b/ticketee/spec/controllers/projects_controller_spec.rb
@@ -21,6 +21,15 @@
         expect(flash[:alert]).to eql("You must be an admin to do that.")
       end
     end
+
+    it "cannot access the show action without permission" do
+      project = FactoryGirl.create(:project)
+      get :show, id: project.id
+
+      expect(response).to redirect_to(projects_path)
+      expect(flash[:alert]).to eql("The project you were looking " +
+                               "for could not be found.")
+    end
   end
 
   it "displays an error for a missing project" do
diff --git a/ticketee/spec/features/creating_tickets_spec.rb b/ticketee/spec/features/creating_tickets_spec.rb
@@ -4,10 +4,11 @@
   let(:user) { FactoryGirl.create(:user) }
   before do
     login_as(user)
-    FactoryGirl.create(:project, name: "Internet Explorer")
+    project = FactoryGirl.create(:project, name: "Internet Explorer")
+    define_permission!(user, "read", project)
 
     visit '/'
-    click_link "Internet Explorer"
+    click_link project.name
     click_link "New Ticket"
   end
 
diff --git a/ticketee/spec/features/deleting_tickets_spec.rb b/ticketee/spec/features/deleting_tickets_spec.rb
@@ -8,6 +8,8 @@
   end
 
   before do
+    login_as(user)
+    define_permission!(user, "read", project)
     visit "/"
     click_link project.name
     click_link ticket.title
diff --git a/ticketee/spec/features/editing_tickets_spec.rb b/ticketee/spec/features/editing_tickets_spec.rb
@@ -8,6 +8,9 @@
   end
 
   before do
+    define_permission!(user, "read", project)
+    login_as(user)
+
     visit "/"
     click_link project.name
     click_link ticket.title
diff --git a/ticketee/spec/features/viewing_projects_spec.rb b/ticketee/spec/features/viewing_projects_spec.rb
@@ -1,10 +1,18 @@
-require 'rails_helper'
+require "rails_helper"
+
+feature "Viewing projects" do
+  let!(:user) { FactoryGirl.create(:user) }
+  let!(:project) { FactoryGirl.create(:project) }
+
+  before do
+    login_as(user)
+    define_permission!(user, :read, project)
+  end
+
+  scenario "Listing all projects" do
+    visit "/"
+    click_link project.name
 
-feature 'Viewing projects' do
-  scenario 'Listing all projects' do
-    project = FactoryGirl.create(:project, name: 'Sublime Text 3')
-    visit '/'
-    click_link 'Sublime Text 3'
     expect(page.current_url).to eql(project_url(project))
   end
 end
diff --git a/ticketee/spec/features/viewing_tickets_spec.rb b/ticketee/spec/features/viewing_tickets_spec.rb
@@ -4,6 +4,7 @@
   before do
     user = FactoryGirl.create(:user)
     sublime = FactoryGirl.create(:project, name: "Sublime Text 3")
+    define_permission!(user, "read", sublime)
 
     FactoryGirl.create(:ticket,
       project: sublime,
@@ -12,12 +13,15 @@
       author: user)
 
     ie = FactoryGirl.create(:project, name: "Internet Explorer")
+    define_permission!(user, "read", ie)
     FactoryGirl.create(:ticket,
       project: ie,
       title: "Standards compliance",
       description: "Isn't a joke.",
       author: user)
 
+    login_as(user)
+
     visit "/"
   end
 
diff --git a/ticketee/spec/support/authorization_helpers.rb b/ticketee/spec/support/authorization_helpers.rb
@@ -0,0 +1,11 @@
+module AuthorizationHelpers
+  def define_permission!(user, action, thing)
+    Permission.create!(user: user,
+                       action: action,
+                       thing: thing)
+  end
+end
+
+RSpec.configure do |c|
+  c.include AuthorizationHelpers
+end
