From 75c266117a6b286b315b380a4ed8be5f2dc2cd88 Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 13:08:47 +0000 Subject: [PATCH 1/4] based on scan of authorize statements --- app/controllers/contributors_controller.rb | 2 +- .../org_admin/phase_versions_controller.rb | 2 +- app/controllers/paginable/plans_controller.rb | 6 ++---- app/policies/department_policy.rb | 5 +++++ app/policies/phase_policy.rb | 4 ++++ app/policies/plan_policy.rb | 13 +++++++++++++ 6 files changed, 26 insertions(+), 6 deletions(-) diff --git a/app/controllers/contributors_controller.rb b/app/controllers/contributors_controller.rb index a92ea5335..3c210b63d 100644 --- a/app/controllers/contributors_controller.rb +++ b/app/controllers/contributors_controller.rb @@ -30,7 +30,7 @@ def edit # rubocop:disable Metrics/AbcSize, Metrics/MethodLength # POST /plans/:plan_id/contributors def create - authorize @plan + authorize @plan, :edit? args = translate_roles(hash: contributor_params) args = process_org(hash: args) diff --git a/app/controllers/org_admin/phase_versions_controller.rb b/app/controllers/org_admin/phase_versions_controller.rb index 1d8ae3244..096acd486 100644 --- a/app/controllers/org_admin/phase_versions_controller.rb +++ b/app/controllers/org_admin/phase_versions_controller.rb @@ -8,7 +8,7 @@ class PhaseVersionsController < ApplicationController # POST /org_admin/templates/:template_id/phases/:phase_id/versions def create @phase = Phase.find(params[:phase_id]) - authorize @phase, :create? + authorize @phase @new_phase = get_modifiable(@phase) flash[:notice] = if @new_phase == @phase 'This template is already a draft' diff --git a/app/controllers/paginable/plans_controller.rb b/app/controllers/paginable/plans_controller.rb index 4f17fb41a..c0c5667f6 100644 --- a/app/controllers/paginable/plans_controller.rb +++ b/app/controllers/paginable/plans_controller.rb @@ -7,7 +7,7 @@ class PlansController < ApplicationController # /paginable/plans/privately_visible/:page def privately_visible - raise Pundit::NotAuthorizedError unless Paginable::PlanPolicy.new(current_user).privately_visible? + authorize Plan paginable_renderise( partial: 'privately_visible', @@ -19,9 +19,7 @@ def privately_visible # GET /paginable/plans/organisationally_or_publicly_visible/:page def organisationally_or_publicly_visible - unless Paginable::PlanPolicy.new(current_user).organisationally_or_publicly_visible? - raise Pundit::NotAuthorizedError - end + authorize Plan paginable_renderise( partial: 'organisationally_or_publicly_visible', diff --git a/app/policies/department_policy.rb b/app/policies/department_policy.rb index 163274947..95018eb5c 100644 --- a/app/policies/department_policy.rb +++ b/app/policies/department_policy.rb @@ -5,6 +5,11 @@ class DepartmentPolicy < ApplicationPolicy # NOTE: @user is the signed_in_user and @record is an instance of Department + def index? + (@user.can_org_admin? && @user.org.id == @department.org_id) || + @user.can_super_admin? + end + def new? @user.can_org_admin? || @user.can_super_admin? end diff --git a/app/policies/phase_policy.rb b/app/policies/phase_policy.rb index 18ed60778..4ae021c72 100644 --- a/app/policies/phase_policy.rb +++ b/app/policies/phase_policy.rb @@ -19,6 +19,10 @@ def preview? @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end + def edit? + user.can_modify_templates? && (phase.template.org_id == user.org_id) + end + def update? @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end diff --git a/app/policies/plan_policy.rb b/app/policies/plan_policy.rb index 1ba95e658..9a2581c0d 100644 --- a/app/policies/plan_policy.rb +++ b/app/policies/plan_policy.rb @@ -5,6 +5,10 @@ class PlanPolicy < ApplicationPolicy # NOTE: @user is the signed_in_user and @record is an instance of Plan + def index? + @user.present? + end + def show? @record.readable_by?(@user.id) end @@ -70,4 +74,13 @@ def select_guidances_list? def update_guidances_list? @record.editable_by?(@user.id) end + + def privately_visible? + @user.present? + end + + def organisationally_or_publicly_visible? + @user.present? + end + end From c068c3097391aadd9cac1f6b9ab4aeefb664a47e Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 13:13:15 +0000 Subject: [PATCH 2/4] Fix spacing spacing round ops --- app/policies/phase_policy.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/app/policies/phase_policy.rb b/app/policies/phase_policy.rb index 4ae021c72..acc11b49c 100644 --- a/app/policies/phase_policy.rb +++ b/app/policies/phase_policy.rb @@ -12,34 +12,34 @@ class PhasePolicy < ApplicationPolicy # - The template which they are modifying belongs to their org def show? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def preview? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def edit? - user.can_modify_templates? && (phase.template.org_id == user.org_id) + user.can_modify_templates? && (phase.template.org_id == user.org_id) end def update? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def new? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def create? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def destroy? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def sort? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end end From 5962f2db9a288f35a2fe7a0249ff81816150b1b8 Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 13:15:01 +0000 Subject: [PATCH 3/4] rubocop blank live it didn't like --- app/policies/plan_policy.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/policies/plan_policy.rb b/app/policies/plan_policy.rb index 9a2581c0d..a2a95f92b 100644 --- a/app/policies/plan_policy.rb +++ b/app/policies/plan_policy.rb @@ -82,5 +82,4 @@ def privately_visible? def organisationally_or_publicly_visible? @user.present? end - end From d42ab02e7e5d11447ad77f5d08f22ef5b8ba4c4d Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Mon, 31 Jan 2022 12:42:22 +0000 Subject: [PATCH 4/4] Unknown local variable Is phase should be @record --- app/policies/phase_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/policies/phase_policy.rb b/app/policies/phase_policy.rb index acc11b49c..5d2b68316 100644 --- a/app/policies/phase_policy.rb +++ b/app/policies/phase_policy.rb @@ -20,7 +20,7 @@ def preview? end def edit? - user.can_modify_templates? && (phase.template.org_id == user.org_id) + user.can_modify_templates? && (@record.template.org_id == user.org_id) end def update?