Merge pull request #3100 from DMPRoadmap/authorize_scan

based on scan of authorize statements

app/controllers/contributors_controller.rb

@@ -30,7 +30,7 @@ def edit
   # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
   # POST /plans/:plan_id/contributors
   def create
-    authorize @plan
+    authorize @plan, :edit?
 
     args = translate_roles(hash: contributor_params)
     args = process_org(hash: args)

app/controllers/org_admin/phase_versions_controller.rb

@@ -8,7 +8,7 @@ class PhaseVersionsController < ApplicationController
     # POST /org_admin/templates/:template_id/phases/:phase_id/versions
     def create
       @phase = Phase.find(params[:phase_id])
-      authorize @phase, :create?
+      authorize @phase
       @new_phase = get_modifiable(@phase)
       flash[:notice] = if @new_phase == @phase
                          'This template is already a draft'

app/controllers/paginable/plans_controller.rb

@@ -7,7 +7,7 @@ class PlansController < ApplicationController
 
     # /paginable/plans/privately_visible/:page
     def privately_visible
-      raise Pundit::NotAuthorizedError unless Paginable::PlanPolicy.new(current_user).privately_visible?
+      authorize Plan
 
       paginable_renderise(
         partial: 'privately_visible',
@@ -19,9 +19,7 @@ def privately_visible
 
     # GET /paginable/plans/organisationally_or_publicly_visible/:page
     def organisationally_or_publicly_visible
-      unless Paginable::PlanPolicy.new(current_user).organisationally_or_publicly_visible?
-        raise Pundit::NotAuthorizedError
-      end
+      authorize Plan
 
       paginable_renderise(
         partial: 'organisationally_or_publicly_visible',

app/policies/department_policy.rb

@@ -5,6 +5,11 @@
 class DepartmentPolicy < ApplicationPolicy
   # NOTE: @user is the signed_in_user and @record is an instance of Department
 
+  def index?
+    (@user.can_org_admin? && @user.org.id == @department.org_id) ||
+      @user.can_super_admin?
+  end
+
   def new?
     @user.can_org_admin? || @user.can_super_admin?
   end

app/policies/phase_policy.rb

@@ -12,30 +12,34 @@ class PhasePolicy < ApplicationPolicy
   #  - The template which they are modifying belongs to their org
 
   def show?
-    @user.can_modify_templates?  && (@record.template.org_id == @user.org_id)
+    @user.can_modify_templates? && (@record.template.org_id == @user.org_id)
   end
 
   def preview?
-    @user.can_modify_templates?  &&  (@record.template.org_id == @user.org_id)
+    @user.can_modify_templates? && (@record.template.org_id == @user.org_id)
+  end
+
+  def edit?
+    user.can_modify_templates? && (@record.template.org_id == user.org_id)
   end
 
   def update?
-    @user.can_modify_templates?  &&  (@record.template.org_id == @user.org_id)
+    @user.can_modify_templates? && (@record.template.org_id == @user.org_id)
   end
 
   def new?
-    @user.can_modify_templates?  && (@record.template.org_id == @user.org_id)
+    @user.can_modify_templates? && (@record.template.org_id == @user.org_id)
   end
 
   def create?
-    @user.can_modify_templates?  &&  (@record.template.org_id == @user.org_id)
+    @user.can_modify_templates? && (@record.template.org_id == @user.org_id)
   end
 
   def destroy?
-    @user.can_modify_templates?  &&  (@record.template.org_id == @user.org_id)
+    @user.can_modify_templates? && (@record.template.org_id == @user.org_id)
   end
 
   def sort?
-    @user.can_modify_templates?  &&  (@record.template.org_id == @user.org_id)
+    @user.can_modify_templates? && (@record.template.org_id == @user.org_id)
   end
 end

app/policies/plan_policy.rb

@@ -5,6 +5,10 @@
 class PlanPolicy < ApplicationPolicy
   # NOTE: @user is the signed_in_user and @record is an instance of Plan
 
+  def index?
+    @user.present?
+  end
+
   def show?
     @record.readable_by?(@user.id)
   end
@@ -70,4 +74,12 @@ def select_guidances_list?
   def update_guidances_list?
     @record.editable_by?(@user.id)
   end
+
+  def privately_visible?
+    @user.present?
+  end
+
+  def organisationally_or_publicly_visible?
+    @user.present?
+  end
 end