Add pundit gem

rztprog · rztprog · commit 3946156110ab · 2022-06-01T11:11:28.000+02:00
diff --git a/Gemfile b/Gemfile
@@ -31,6 +31,7 @@ gem "font-awesome-sass", "~> 5.15"
 gem "simple_form", github: "heartcombo/simple_form"
 gem 'cloudinary', '~> 1.16.0'
 gem 'devise'
+gem 'pundit'
 
 # Reduces boot times through caching; required in config/boot.rb
 gem 'bootsnap', '>= 1.4.2', require: false
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -131,6 +131,8 @@ GEM
     pg (1.3.5)
     puma (4.3.12)
       nio4r (~> 2.0)
+    pundit (2.2.0)
+      activesupport (>= 3.0.0)
     racc (1.6.0)
     rack (2.2.3)
     rack-proxy (0.7.2)
@@ -257,6 +259,7 @@ DEPENDENCIES
   listen (~> 3.2)
   pg (>= 0.18, < 2.0)
   puma (~> 4.1)
+  pundit
   rails (~> 6.1.1)
   rails-controller-testing
   rspec-rails
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,5 +1,10 @@
 class ApplicationController < ActionController::Base
   before_action :configure_permitted_parameters, if: :devise_controller?
+  before_action :authenticate_user!
+  include Pundit
+
+  after_action :verify_authorized, except: :index, unless: :skip_pundit?
+  after_action :verify_policy_scoped, only: :index, unless: :skip_pundit?
 
   def configure_permitted_parameters
     # For additional fields in app/views/devise/registrations/new.html.erb
@@ -8,5 +13,10 @@ def configure_permitted_parameters
     # For additional in app/views/devise/registrations/edit.html.erb
     devise_parameter_sanitizer.permit(:account_update, keys: [:photo, :nickname])
   end
+
+  private
+
+  def skip_pundit?
+    devise_controller? || params[:controller] =~ /(^(rails_)?admin)|(^pages$)/
+  end
 end
- 
diff --git a/app/controllers/lists_controller.rb b/app/controllers/lists_controller.rb
@@ -2,25 +2,31 @@ class ListsController < ApplicationController
   before_action :set_list, only: [:show, :edit, :update]
 
   def index
-    @lists = List.all
+    # @lists = List.all
+    @lists = policy_scope(List).all
+  
     if user_signed_in?
       @self_lists = List.where(user: current_user.id)
     end
   end
 
   def show
+    authorize @list
+
     if user_signed_in?
       @user = User.where(id: current_user.id)
     end
   end
     
   def new
     @list = List.new
+    authorize @list
   end
     
   def create
     @list = List.new(list_params)
     @list.user = current_user.id
+    authorize @list
 
     if @list.save
       redirect_to list_path(@list)
@@ -30,6 +36,7 @@ def create
   end
 
   def edit
+    authorize @list
   end
 
   def update
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  class Scope
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      raise NotImplementedError, "You must define #resolve in #{self.class}"
+    end
+
+    private
+
+    attr_reader :user, :scope
+  end
+end
diff --git a/app/policies/list_policy.rb b/app/policies/list_policy.rb
@@ -0,0 +1,24 @@
+class ListPolicy < ApplicationPolicy
+  class Scope < Scope
+    # NOTE: Be explicit about which records you allow access to!
+    def resolve
+      scope.all
+    end
+  end
+
+  def update?
+    true
+  end
+
+  def create?
+    true
+  end
+
+  def index?
+    true
+  end
+
+  def show?
+    true
+  end
+end
