secure the actioncable channel

restrict to company

Author: thejonroberts

NOTES.txt

@@ -35,3 +35,24 @@ When our user clicks on the "Cancel" link for the edit quote form:
 The link is within a Turbo Frame of id dom_id(quote), so Turbo will only replace the content of this frame
 The link navigates to the Quotes#index page that contains a Turbo Frame with id dom_id(quote) that contains the HTML for this quote
 Turbo replaces the content of the dom_id(quote) Frame containing the form with the HTML for this quote
+
+Wrap up
+
+Transforming our application into a real-time one only took two lines of code, thanks to Turbo Rails.
+
+In our Quote model, we set three callbacks to broadcast creations, updates, and deletions to the "quotes" stream. Thanks to the broadcasts_to method, those three callbacks can be defined in one line.
+In our Quotes#index view, we explicitly mentioned that we want to subscribe to the changes that are broadcasted to the "quotes" stream.
+
+
+DEVISE IN TESTS:
+in test_helper.rb: (ActiveSupport::TestCase)
+include Devise::Test::IntegrationHelpers
+use helper for any tests requiring user:
+sign_in users(:accountant)
+
+CHANNEL SECURITY FOR ACTIONCABLE;
+model:
+broadcasts_to ->(quote) { [quote.company, "quotes"] }, inserts_by: :prepend
+view:
+<%= turbo_stream_from(current_company, "quotes") %>
+

app/models/quote.rb

@@ -5,14 +5,5 @@ class Quote < ApplicationRecord
 
   scope :desc_id_ordered, -> { order(id: :desc) }
 
-  # QUESTIONS:
-    # - how to limit access / specify policy for channels?
-    # - how to test
-  # after_create_commit -> { broadcast_prepend_to "quotes", target: "quotes", partial: "quotes/quote", locals: { quote: self } }
-  # after_create_commit -> { broadcast_prepend_later_to "quotes" }
-  # after_update_commit -> { broadcast_replace_later_to "quotes" }
-  # Can't use self.id to broadcast later.
-  # after_destroy_commit -> { broadcast_remove_to "quotes" }
-  # The above three callbacks are equivalent to the following single line
-  broadcasts_to ->(quote) { "quotes" }, inserts_by: :prepend
+  broadcasts_to ->(quote) { [quote.company, "quotes"] }, inserts_by: :prepend
 end

app/views/quotes/index.html.erb

@@ -28,7 +28,7 @@ COMMENT
                 data: { turbo_frame: dom_id(Quote.new) } %>
   </div>
 
-  <%= turbo_stream_from "quotes" %>
+  <%= turbo_stream_from current_company, "quotes" %>
   <%= turbo_frame_tag Quote.new %>
   <%= turbo_frame_tag "quotes" do %>
     <%= render @quotes %>