Pundit

app/controllers/application_controller.rb

@@ -1,13 +1,30 @@
 class ApplicationController < ActionController::Base
   before_action :authenticate_user!
+  include Pundit::Authorization
 
   before_action :configure_permitted_parameters, if: :devise_controller?
 
+  # Pundit: allow-list approach
+  after_action :verify_authorized, except: :index, unless: :skip_pundit?
+  after_action :verify_policy_scoped, only: :index, unless: :skip_pundit?
+
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+  def user_not_authorized
+    flash[:alert] = "You are not authorized to perform this action."
+    redirect_to(root_path)
+  end
+
   def configure_permitted_parameters
     # For additional fields in app/views/devise/registrations/new.html.erb
     devise_parameter_sanitizer.permit(:sign_up, keys: [:name, :address, :phone_number])
 
     # For additional in app/views/devise/registrations/edit.html.erb
     devise_parameter_sanitizer.permit(:account_update, keys: [:name, :address, :phone_number])
   end
+
+  private
+
+  def skip_pundit?
+    devise_controller? || params[:controller] =~ /(^(rails_)?admin)|(^pages$)/
+  end
 end

app/controllers/credit_cards_controller.rb

@@ -4,11 +4,13 @@ class CreditCardsController < ApplicationController
 
   def index
     # @credit_cards = CreditCard.all
+    # @credit_cards = policy_scope(CreditCard)
     # add a filter for user, when more than 1 credit_card
   end
 
   def new
     @credit_card = CreditCard.new
+    authorize @credit_card
   end
 
   def create
@@ -20,6 +22,7 @@ def create
     else
       render :new, status: :unprocessable_entity
     end
+    authorize @credit_card
   end
 
   def show
@@ -50,6 +53,7 @@ def destroy
 
   def set_credit_card
     @credit_card = CreditCard.find(params[:id])
+    authorize @credit_card
   end
 
   def credit_card_params

app/controllers/goals_controller.rb

@@ -2,11 +2,13 @@ class GoalsController < ApplicationController
   before_action :set_goal, only: %i[show edit destroy update]
 
   def index
-    @goals = Goal.where(user: current_user)
+    # @goals = Goal.where(user: current_user)
+    goals = policy_scope(Goal)
   end
 
   def new
     @goal = Goal.new
+    authorize @goal
   end
 
   def create
@@ -17,6 +19,7 @@ def create
     else
       render :new, status: :unprocessable_entity, notice: 'Failed to create'
     end
+    authorize @goal
   end
 
   def show
@@ -46,6 +49,7 @@ def goal_params
 
   def set_goal
     @goal = Goal.find(params[:id])
+    authorize @goal
   end
 
 end

app/controllers/pages_controller.rb

@@ -2,6 +2,7 @@ class PagesController < ApplicationController
   skip_before_action :authenticate_user!, only: [ :home ]
 
   def profile
-    @user = current_user
+    # @user = current_user
+    authorize @user
   end
 end

app/controllers/transactions_controller.rb

@@ -4,6 +4,7 @@ class TransactionsController < ApplicationController
 
   def index
     @transactions = Transaction.where(credit_card: current_user.credit_cards.first)
+    authorize @transaction
   end
 
   def create
@@ -15,9 +16,12 @@ def create
     else
       render :new, status: :unprocessable_entity
     end
+
+    authorize @transaction
   end
 
   def show
+    authorize @transaction
   end
 
   private

app/policies/application_policy.rb

@@ -9,31 +9,36 @@ def initialize(user, record)
   end
 
   def index?
-    false
+    is_owner?
   end
 
   def show?
-    false
+    is_owner?
   end
 
   def create?
-    false
+    true
   end
 
   def new?
     create?
   end
 
   def update?
-    false
+    is_owner?
   end
 
   def edit?
     update?
   end
 
   def destroy?
-    false
+    is_owner?
+  end
+
+  private
+  def is_owner?
+    record.user == user
   end
 
   class Scope

app/policies/credit_card_policy.rb

@@ -0,0 +1,8 @@
+class CreditCardPolicy < ApplicationPolicy
+  class Scope < Scope
+    # NOTE: Be explicit about which records you allow access to!
+    def resolve
+      scope.where(user:user)
+    end
+  end
+end

app/policies/goal_policy.rb

@@ -0,0 +1,8 @@
+class GoalPolicy < ApplicationPolicy
+  class Scope < Scope
+    # NOTE: Be explicit about which records you allow access to!
+    def resolve
+      scope.where(user: user)
+    end
+  end
+end

app/policies/transaction_policy.rb

@@ -0,0 +1,8 @@
+class TransactionPolicy < ApplicationPolicy
+  class Scope < Scope
+    # NOTE: Be explicit about which records you allow access to!
+    def resolve
+      scope.where(user:user)
+    end
+  end
+end

test/policies/application_record_policy_test.rb

@@ -0,0 +1,18 @@
+require 'test_helper'
+
+class ApplicationRecordPolicyTest < ActiveSupport::TestCase
+  def test_scope
+  end
+
+  def test_show
+  end
+
+  def test_create
+  end
+
+  def test_update
+  end
+
+  def test_destroy
+  end
+end

test/policies/credit_card_policy_test.rb

@@ -0,0 +1,18 @@
+require 'test_helper'
+
+class CreditCardPolicyTest < ActiveSupport::TestCase
+  def test_scope
+  end
+
+  def test_show
+  end
+
+  def test_create
+  end
+
+  def test_update
+  end
+
+  def test_destroy
+  end
+end

test/policies/goal_policy_test.rb

@@ -0,0 +1,18 @@
+require 'test_helper'
+
+class GoalPolicyTest < ActiveSupport::TestCase
+  def test_scope
+  end
+
+  def test_show
+  end
+
+  def test_create
+  end
+
+  def test_update
+  end
+
+  def test_destroy
+  end
+end

test/policies/transaction_policy_test.rb

@@ -0,0 +1,18 @@
+require 'test_helper'
+
+class TransactionPolicyTest < ActiveSupport::TestCase
+  def test_scope
+  end
+
+  def test_show
+  end
+
+  def test_create
+  end
+
+  def test_update
+  end
+
+  def test_destroy
+  end
+end

test/policies/user_policy_test.rb

@@ -0,0 +1,18 @@
+require 'test_helper'
+
+class UserPolicyTest < ActiveSupport::TestCase
+  def test_scope
+  end
+
+  def test_show
+  end
+
+  def test_create
+  end
+
+  def test_update
+  end
+
+  def test_destroy
+  end
+end