From 968b1fb5b2b3ddd7b5d90a54b94f752c0f92ed6a Mon Sep 17 00:00:00 2001 From: Mariana Doldan Date: Wed, 31 May 2023 23:30:16 -0300 Subject: [PATCH 1/3] credit card authorization implemented --- app/controllers/application_controller.rb | 11 +++++++++++ app/controllers/credit_cards_controller.rb | 6 ++++++ app/policies/application_policy.rb | 15 ++++++++++----- app/policies/credit_card_policy.rb | 8 ++++++++ app/policies/goal_policy.rb | 8 ++++++++ app/policies/transaction_policy.rb | 8 ++++++++ app/policies/user_policy.rb | 8 ++++++++ .../policies/application_record_policy_test.rb | 18 ++++++++++++++++++ test/policies/credit_card_policy_test.rb | 18 ++++++++++++++++++ test/policies/goal_policy_test.rb | 18 ++++++++++++++++++ test/policies/transaction_policy_test.rb | 18 ++++++++++++++++++ test/policies/user_policy_test.rb | 18 ++++++++++++++++++ 12 files changed, 149 insertions(+), 5 deletions(-) create mode 100644 app/policies/credit_card_policy.rb create mode 100644 app/policies/goal_policy.rb create mode 100644 app/policies/transaction_policy.rb create mode 100644 app/policies/user_policy.rb create mode 100644 test/policies/application_record_policy_test.rb create mode 100644 test/policies/credit_card_policy_test.rb create mode 100644 test/policies/goal_policy_test.rb create mode 100644 test/policies/transaction_policy_test.rb create mode 100644 test/policies/user_policy_test.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9752300..810fc39 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,8 +1,13 @@ class ApplicationController < ActionController::Base before_action :authenticate_user! + include Pundit::Authorization before_action :configure_permitted_parameters, if: :devise_controller? + # Pundit: allow-list approach + after_action :verify_authorized, except: :index, unless: :skip_pundit? + after_action :verify_policy_scoped, only: :index, unless: :skip_pundit? + def configure_permitted_parameters # For additional fields in app/views/devise/registrations/new.html.erb devise_parameter_sanitizer.permit(:sign_up, keys: [:name, :address, :phone_number]) @@ -10,4 +15,10 @@ def configure_permitted_parameters # For additional in app/views/devise/registrations/edit.html.erb devise_parameter_sanitizer.permit(:account_update, keys: [:name, :address, :phone_number]) end + + private + + def skip_pundit? + devise_controller? || params[:controller] =~ /(^(rails_)?admin)|(^pages$)/ + end end diff --git a/app/controllers/credit_cards_controller.rb b/app/controllers/credit_cards_controller.rb index 5edce7a..dd62bf0 100644 --- a/app/controllers/credit_cards_controller.rb +++ b/app/controllers/credit_cards_controller.rb @@ -9,6 +9,7 @@ def index def new @credit_card = CreditCard.new + authorize @credit_card end def create @@ -20,16 +21,20 @@ def create else render :new, status: :unprocessable_entity end + authorize @credit_card end def show + authorize @credit_card end def edit + authorize @credit_card end # If User decide to change an information on the credit card (ex.wrong info) def update + authorize @credit_card if @credit_card.update(credit_card_params) redirect_to credit_card_path, notice: 'Credit card was successfully updated.' else @@ -38,6 +43,7 @@ def update end def destroy + authorize @credit_card @credit_card.destroy redirect_to credit_cards_path, notice: 'Credit card was successfully destroyed.' end diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb index e000cba..b784f2c 100644 --- a/app/policies/application_policy.rb +++ b/app/policies/application_policy.rb @@ -9,15 +9,15 @@ def initialize(user, record) end def index? - false + is_owner? end def show? - false + is_owner? end def create? - false + true end def new? @@ -25,7 +25,7 @@ def new? end def update? - false + is_owner? end def edit? @@ -33,7 +33,12 @@ def edit? end def destroy? - false + is_owner? + end + + private + def is_owner? + record.user == user end class Scope diff --git a/app/policies/credit_card_policy.rb b/app/policies/credit_card_policy.rb new file mode 100644 index 0000000..7da33ba --- /dev/null +++ b/app/policies/credit_card_policy.rb @@ -0,0 +1,8 @@ +class CreditCardPolicy < ApplicationPolicy + class Scope < Scope + # NOTE: Be explicit about which records you allow access to! + # def resolve + # scope.all + # end + end +end diff --git a/app/policies/goal_policy.rb b/app/policies/goal_policy.rb new file mode 100644 index 0000000..ed64b10 --- /dev/null +++ b/app/policies/goal_policy.rb @@ -0,0 +1,8 @@ +class GoalPolicy < ApplicationPolicy + class Scope < Scope + # NOTE: Be explicit about which records you allow access to! + # def resolve + # scope.all + # end + end +end diff --git a/app/policies/transaction_policy.rb b/app/policies/transaction_policy.rb new file mode 100644 index 0000000..2a73e66 --- /dev/null +++ b/app/policies/transaction_policy.rb @@ -0,0 +1,8 @@ +class TransactionPolicy < ApplicationPolicy + class Scope < Scope + # NOTE: Be explicit about which records you allow access to! + # def resolve + # scope.all + # end + end +end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb new file mode 100644 index 0000000..a9772c4 --- /dev/null +++ b/app/policies/user_policy.rb @@ -0,0 +1,8 @@ +class UserPolicy < ApplicationPolicy + class Scope < Scope + # NOTE: Be explicit about which records you allow access to! + # def resolve + # scope.all + # end + end +end diff --git a/test/policies/application_record_policy_test.rb b/test/policies/application_record_policy_test.rb new file mode 100644 index 0000000..5d4b95a --- /dev/null +++ b/test/policies/application_record_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class ApplicationRecordPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end diff --git a/test/policies/credit_card_policy_test.rb b/test/policies/credit_card_policy_test.rb new file mode 100644 index 0000000..eff1483 --- /dev/null +++ b/test/policies/credit_card_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class CreditCardPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end diff --git a/test/policies/goal_policy_test.rb b/test/policies/goal_policy_test.rb new file mode 100644 index 0000000..7a3c71b --- /dev/null +++ b/test/policies/goal_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class GoalPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end diff --git a/test/policies/transaction_policy_test.rb b/test/policies/transaction_policy_test.rb new file mode 100644 index 0000000..631bb22 --- /dev/null +++ b/test/policies/transaction_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class TransactionPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end diff --git a/test/policies/user_policy_test.rb b/test/policies/user_policy_test.rb new file mode 100644 index 0000000..577ac60 --- /dev/null +++ b/test/policies/user_policy_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class UserPolicyTest < ActiveSupport::TestCase + def test_scope + end + + def test_show + end + + def test_create + end + + def test_update + end + + def test_destroy + end +end From 83b8fa1a375cf1f5f1d34d22dee5af7a77aca22f Mon Sep 17 00:00:00 2001 From: Mariana Doldan Date: Fri, 2 Jun 2023 23:20:11 -0300 Subject: [PATCH 2/3] =?UTF-8?q?a=20princ=C3=ADpio,=20funcionando?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/controllers/credit_cards_controller.rb | 6 ++---- app/controllers/goals_controller.rb | 6 +++++- app/controllers/pages_controller.rb | 3 ++- app/controllers/transactions_controller.rb | 4 ++++ app/policies/credit_card_policy.rb | 6 +++--- app/policies/goal_policy.rb | 10 +++++++--- app/policies/transaction_policy.rb | 6 +++--- app/policies/user_policy.rb | 6 +++--- 8 files changed, 29 insertions(+), 18 deletions(-) diff --git a/app/controllers/credit_cards_controller.rb b/app/controllers/credit_cards_controller.rb index dd62bf0..84cb2ba 100644 --- a/app/controllers/credit_cards_controller.rb +++ b/app/controllers/credit_cards_controller.rb @@ -4,6 +4,7 @@ class CreditCardsController < ApplicationController def index # @credit_cards = CreditCard.all + # @credit_cards = policy_scope(CreditCard) # add a filter for user, when more than 1 credit_card end @@ -25,16 +26,13 @@ def create end def show - authorize @credit_card end def edit - authorize @credit_card end # If User decide to change an information on the credit card (ex.wrong info) def update - authorize @credit_card if @credit_card.update(credit_card_params) redirect_to credit_card_path, notice: 'Credit card was successfully updated.' else @@ -43,7 +41,6 @@ def update end def destroy - authorize @credit_card @credit_card.destroy redirect_to credit_cards_path, notice: 'Credit card was successfully destroyed.' end @@ -56,6 +53,7 @@ def destroy def set_credit_card @credit_card = CreditCard.find(params[:id]) + authorize @credit_card end def credit_card_params diff --git a/app/controllers/goals_controller.rb b/app/controllers/goals_controller.rb index 361f170..20a4224 100644 --- a/app/controllers/goals_controller.rb +++ b/app/controllers/goals_controller.rb @@ -2,11 +2,13 @@ class GoalsController < ApplicationController before_action :set_goal, only: %i[show edit destroy update] def index - @goals = Goal.where(user: current_user) + # @goals = Goal.where(user: current_user) + goals = policy_scope(Goal) end def new @goal = Goal.new + authorize @goal end def create @@ -17,6 +19,7 @@ def create else render :new, status: :unprocessable_entity, notice: 'Failed to create' end + authorize @goal end def show @@ -46,6 +49,7 @@ def goal_params def set_goal @goal = Goal.find(params[:id]) + authorize @goal end end diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb index 23effd0..2180066 100644 --- a/app/controllers/pages_controller.rb +++ b/app/controllers/pages_controller.rb @@ -2,6 +2,7 @@ class PagesController < ApplicationController skip_before_action :authenticate_user!, only: [ :home ] def profile - @user = current_user + # @user = current_user + authorize @user end end diff --git a/app/controllers/transactions_controller.rb b/app/controllers/transactions_controller.rb index 7a75995..5a23ff1 100644 --- a/app/controllers/transactions_controller.rb +++ b/app/controllers/transactions_controller.rb @@ -4,6 +4,7 @@ class TransactionsController < ApplicationController def index @transactions = Transaction.where(credit_card: current_user.credit_cards.first) + authorize @transaction end def create @@ -15,9 +16,12 @@ def create else render :new, status: :unprocessable_entity end + + authorize @transaction end def show + authorize @transaction end private diff --git a/app/policies/credit_card_policy.rb b/app/policies/credit_card_policy.rb index 7da33ba..740f2cc 100644 --- a/app/policies/credit_card_policy.rb +++ b/app/policies/credit_card_policy.rb @@ -1,8 +1,8 @@ class CreditCardPolicy < ApplicationPolicy class Scope < Scope # NOTE: Be explicit about which records you allow access to! - # def resolve - # scope.all - # end + def resolve + scope.where(user:user) + end end end diff --git a/app/policies/goal_policy.rb b/app/policies/goal_policy.rb index ed64b10..3bfb22d 100644 --- a/app/policies/goal_policy.rb +++ b/app/policies/goal_policy.rb @@ -1,8 +1,12 @@ class GoalPolicy < ApplicationPolicy class Scope < Scope # NOTE: Be explicit about which records you allow access to! - # def resolve - # scope.all - # end + def resolve + scope.where(user:user) + end + + def new + true + end end end diff --git a/app/policies/transaction_policy.rb b/app/policies/transaction_policy.rb index 2a73e66..ead3b56 100644 --- a/app/policies/transaction_policy.rb +++ b/app/policies/transaction_policy.rb @@ -1,8 +1,8 @@ class TransactionPolicy < ApplicationPolicy class Scope < Scope # NOTE: Be explicit about which records you allow access to! - # def resolve - # scope.all - # end + def resolve + scope.where(user:user) + end end end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index a9772c4..af4761c 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -1,8 +1,8 @@ class UserPolicy < ApplicationPolicy class Scope < Scope # NOTE: Be explicit about which records you allow access to! - # def resolve - # scope.all - # end + def resolve + scope.all + end end end From fab2814293d4b15c706657ccc919f4cca3b149ee Mon Sep 17 00:00:00 2001 From: Mariana Doldan Date: Sat, 3 Jun 2023 11:53:32 -0300 Subject: [PATCH 3/3] done & reviewed --- app/controllers/application_controller.rb | 6 ++++++ app/policies/goal_policy.rb | 6 +----- app/policies/user_policy.rb | 8 -------- 3 files changed, 7 insertions(+), 13 deletions(-) delete mode 100644 app/policies/user_policy.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 810fc39..9f3ed80 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -8,6 +8,12 @@ class ApplicationController < ActionController::Base after_action :verify_authorized, except: :index, unless: :skip_pundit? after_action :verify_policy_scoped, only: :index, unless: :skip_pundit? + rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized + def user_not_authorized + flash[:alert] = "You are not authorized to perform this action." + redirect_to(root_path) + end + def configure_permitted_parameters # For additional fields in app/views/devise/registrations/new.html.erb devise_parameter_sanitizer.permit(:sign_up, keys: [:name, :address, :phone_number]) diff --git a/app/policies/goal_policy.rb b/app/policies/goal_policy.rb index 3bfb22d..6cb85ee 100644 --- a/app/policies/goal_policy.rb +++ b/app/policies/goal_policy.rb @@ -2,11 +2,7 @@ class GoalPolicy < ApplicationPolicy class Scope < Scope # NOTE: Be explicit about which records you allow access to! def resolve - scope.where(user:user) - end - - def new - true + scope.where(user: user) end end end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb deleted file mode 100644 index af4761c..0000000 --- a/app/policies/user_policy.rb +++ /dev/null @@ -1,8 +0,0 @@ -class UserPolicy < ApplicationPolicy - class Scope < Scope - # NOTE: Be explicit about which records you allow access to! - def resolve - scope.all - end - end -end