Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Restrict creating tasks to users with permission

  • Loading branch information...
commit ccaa5422ceee378dd9aa727c987c37f09a5affc4 1 parent 86ed5b8
@RonPhillips authored
View
1  Gemfile
@@ -16,6 +16,7 @@ gem 'jquery-rails'
gem 'therubyracer'
gem 'devise', '~> 1.4.3'
+gem 'cancan'
# Gems used only for assets and not required
# in production environments by default.
View
2  Gemfile.lock
@@ -32,6 +32,7 @@ GEM
arel (2.2.1)
bcrypt-ruby (3.0.1)
builder (3.0.0)
+ cancan (1.6.7)
capybara (1.1.1)
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
@@ -170,6 +171,7 @@ PLATFORMS
ruby
DEPENDENCIES
+ cancan
capybara
coffee-rails (~> 3.1.1)
cucumber-rails
View
20 app/controllers/tasks_controller.rb
@@ -1,8 +1,9 @@
class TasksController < ApplicationController
- before_filter :authenticate_user!, :except => [:index, :show]
+ before_filter :authenticate_user!
before_filter :find_project
before_filter :find_task, :only=> [:show, :edit, :update, :destroy]
-
+ before_filter :authorize_create!, :only => [:new, :create]
+
def show
end
@@ -44,9 +45,20 @@ def destroy
private
+ def authorize_create!
+ if !current_user.admin? && cannot?("create tasks".to_sym, @project)
+ flash[:alert] = "You cannot create tasks on this project."
+ redirect_to @project
+ end
+ end
+
def find_project
- @project = Project.find(params[:project_id])
- end
+ @project = Project.for(current_user).find(params[:project_id])
+ rescue ActiveRecord::RecordNotFound
+ flash[:alert] = "The project you were looking for could not be found."
+ redirect_to root_path
+ end
+
def find_task
@task = @project.tasks.find(params[:id])
end
View
14 app/models/ability.rb
@@ -0,0 +1,14 @@
+class Ability
+ include CanCan::Ability
+ def initialize(user)
+ user.permissions.each do |permission|
+ can permission.action.to_sym, permission.permissions_apply_type.constantize do |permissions_apply |
+ permissions_apply.nil? ||
+ permission.permissions_apply_id.nil? ||
+ permission.permissions_apply_id == permissions_apply.id
+ end
+ end
+ end
+end
+
+
View
3  app/models/user.rb
@@ -6,6 +6,9 @@ class User < ActiveRecord::Base
# Setup accessible (or protected) attributes for your model
attr_accessible :email, :password, :password_confirmation, :remember_me
+
+ has_many :permissions
+
def to_s
"#{email} (#{admin? ? "Admin" : "User"})"
end
View
6 factories/task_factory.rb
@@ -0,0 +1,6 @@
+Factory.define :task do |task|
+ task.title "A factory task"
+ task.description "The factory's default task, nothing more"
+ task.user { |u| u.association(:user) }
+ task.project { |p| p.association(:project) }
+end
View
18 features/step_definitions/permission_steps.rb
@@ -1,5 +1,15 @@
-Given /^"([^"]*)" can view the "([^"]*)" project$/ do |user, project|
- Permission.create!(:user => User.find_by_email!(user),
- :permissions_apply => Project.find_by_name!(project),
- :action => "view")
+permission_step = /^"([^"]*)" can ([^"]*?) ([o|i]n)?\s?the "([^"]*)" project$/
+
+Given permission_step do |user, permission, on, project|
+ create_permission(user, find_project(project), permission)
+end
+
+def create_permission(email, object, action)
+ Permission.create!(:user => User.find_by_email!(email),
+ :permissions_apply => object,
+ :action => action)
+end
+
+def find_project(name)
+ Project.find_by_name!(name)
end
View
1  features/tasks_create.feature
@@ -10,6 +10,7 @@ Feature: Creating Tasks
| user@bogus.com | password |
And I am signed in as them
And "user@bogus.com" can view the "Project with Tasks" project
+ And "user@bogus.com" can create tasks in the "Project with Tasks" project
And I am on the projects page
When I follow "Project with Tasks"
And I follow "New Task"
View
36 spec/controllers/tasks_controller_spec.rb
@@ -1,5 +1,39 @@
require 'spec_helper'
describe TasksController do
-
+ let(:user) { create_user! }
+ let(:project) { Factory(:project) }
+ let(:task) { Factory(:task, :project => project,
+ :user => user) }
+ context "standard users" do
+
+ it "cannot access a task for a project" do
+ sign_in(:user, user)
+ get :show, :id => task.id, :project_id => project.id
+ response.should redirect_to(root_path)
+ flash[:alert].should eql("The project you were looking for could not be found.")
+ end
+
+ context "with permission to view the project" do
+ before do
+ sign_in(:user, user)
+ Permission.create!(:user => user, :permissions_apply => project, :action => "view")
+ end
+ def cannot_create_tasks!
+ response.should redirect_to(project)
+ flash[:alert].should eql("You cannot create tasks on this project.")
+ end
+ it "cannot begin to create a task" do
+ get :new, :project_id => project.id
+ cannot_create_tasks!
+ end
+ it "cannot create a task without permission" do
+ post :create, :project_id => project.id
+ cannot_create_tasks!
+ end
+ end
+
+ end
end
+
+
Please sign in to comment.
Something went wrong with that request. Please try again.