diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9752300..9f3ed80 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,8 +1,19 @@ class ApplicationController < ActionController::Base before_action :authenticate_user! + include Pundit::Authorization before_action :configure_permitted_parameters, if: :devise_controller? + # Pundit: allow-list approach + after_action :verify_authorized, except: :index, unless: :skip_pundit? + after_action :verify_policy_scoped, only: :index, unless: :skip_pundit? + + rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized + def user_not_authorized + flash[:alert] = "You are not authorized to perform this action." + redirect_to(root_path) + end + def configure_permitted_parameters # For additional fields in app/views/devise/registrations/new.html.erb devise_parameter_sanitizer.permit(:sign_up, keys: [:name, :address, :phone_number]) @@ -10,4 +21,10 @@ def configure_permitted_parameters # For additional in app/views/devise/registrations/edit.html.erb devise_parameter_sanitizer.permit(:account_update, keys: [:name, :address, :phone_number]) end + + private + + def skip_pundit? + devise_controller? || params[:controller] =~ /(^(rails_)?admin)|(^pages$)/ + end end diff --git a/app/controllers/credit_cards_controller.rb b/app/controllers/credit_cards_controller.rb index 5edce7a..84cb2ba 100644 --- a/app/controllers/credit_cards_controller.rb +++ b/app/controllers/credit_cards_controller.rb @@ -4,11 +4,13 @@ class CreditCardsController < ApplicationController def index # @credit_cards = CreditCard.all + # @credit_cards = policy_scope(CreditCard) # add a filter for user, when more than 1 credit_card end def new @credit_card = CreditCard.new + authorize @credit_card end def create @@ -20,6 +22,7 @@ def create else render :new, status: :unprocessable_entity end + authorize @credit_card end def show @@ -50,6 +53,7 @@ def destroy def set_credit_card @credit_card = CreditCard.find(params[:id]) + authorize @credit_card end def credit_card_params diff --git a/app/controllers/goals_controller.rb b/app/controllers/goals_controller.rb index 361f170..20a4224 100644 --- a/app/controllers/goals_controller.rb +++ b/app/controllers/goals_controller.rb @@ -2,11 +2,13 @@ class GoalsController < ApplicationController before_action :set_goal, only: %i[show edit destroy update] def index - @goals = Goal.where(user: current_user) + # @goals = Goal.where(user: current_user) + goals = policy_scope(Goal) end def new @goal = Goal.new + authorize @goal end def create @@ -17,6 +19,7 @@ def create else render :new, status: :unprocessable_entity, notice: 'Failed to create' end + authorize @goal end def show @@ -46,6 +49,7 @@ def goal_params def set_goal @goal = Goal.find(params[:id]) + authorize @goal end end diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb index 23effd0..2180066 100644 --- a/app/controllers/pages_controller.rb +++ b/app/controllers/pages_controller.rb @@ -2,6 +2,7 @@ class PagesController < ApplicationController skip_before_action :authenticate_user!, only: [ :home ] def profile - @user = current_user + # @user = current_user + authorize @user end end diff --git a/app/controllers/transactions_controller.rb b/app/controllers/transactions_controller.rb index 7a75995..5a23ff1 100644 --- a/app/controllers/transactions_controller.rb +++ b/app/controllers/transactions_controller.rb @@ -4,6 +4,7 @@ class TransactionsController < ApplicationController def index @transactions = Transaction.where(credit_card: current_user.credit_cards.first) + authorize @transaction end def create @@ -15,9 +16,12 @@ def create else render :new, status: :unprocessable_entity end + + authorize @transaction end def show + authorize @transaction end private diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb index e000cba..b784f2c 100644 --- a/app/policies/application_policy.rb +++ b/app/policies/application_policy.rb @@ -9,15 +9,15 @@ def initialize(user, record) end def index? - false + is_owner? end def show? - false + is_owner? end def create? - false + true end def new? @@ -25,7 +25,7 @@ def new? end def update? - false + is_owner? end def edit? @@ -33,7 +33,12 @@ def edit? end def destroy? - false + is_owner? + end + + private + def is_owner? + record.user == user end class Scope diff --git a/app/policies/credit_card_policy.rb b/app/policies/credit_card_policy.rb new file mode 100644 index 0000000..740f2cc --- /dev/null +++ b/app/policies/credit_card_policy.rb @@ -0,0 +1,8 @@ +class CreditCardPolicy < ApplicationPolicy + class Scope < Scope + # NOTE: Be explicit about which records you allow access to! + def resolve + scope.where(user:user) + end + end +end diff --git a/app/policies/goal_policy.rb b/app/policies/goal_policy.rb new file mode 100644 index 0000000..6cb85ee --- /dev/null +++ b/app/policies/goal_policy.rb @@ -0,0 +1,8 @@ +class GoalPolicy < ApplicationPolicy + class Scope < Scope + # NOTE: Be explicit about which records you allow access to! + def resolve + scope.where(user: user) + end + end +end diff --git a/app/policies/transaction_policy.rb b/app/policies/transaction_policy.rb new file mode 100644 index 0000000..ead3b56 --- /dev/null +++ b/app/policies/transaction_policy.rb @@ -0,0 +1,8 @@ +class TransactionPolicy < ApplicationPolicy + class Scope < Scope + # NOTE: Be explicit about which records you allow access to! + def resolve + scope.where(user:user) + end + end +end diff --git a/test/policies/application_record_policy_test.rb b/test/policies/application_record_policy_test.rb new file mode 100644 index 0000000..5d4b95a --- /dev/null +++ b/test/policies/application_record_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class ApplicationRecordPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end diff --git a/test/policies/credit_card_policy_test.rb b/test/policies/credit_card_policy_test.rb new file mode 100644 index 0000000..eff1483 --- /dev/null +++ b/test/policies/credit_card_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class CreditCardPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end diff --git a/test/policies/goal_policy_test.rb b/test/policies/goal_policy_test.rb new file mode 100644 index 0000000..7a3c71b --- /dev/null +++ b/test/policies/goal_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class GoalPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end diff --git a/test/policies/transaction_policy_test.rb b/test/policies/transaction_policy_test.rb new file mode 100644 index 0000000..631bb22 --- /dev/null +++ b/test/policies/transaction_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class TransactionPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end diff --git a/test/policies/user_policy_test.rb b/test/policies/user_policy_test.rb new file mode 100644 index 0000000..577ac60 --- /dev/null +++ b/test/policies/user_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class UserPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end