Merge branch 'auth_overhaul'

concerto · Jul 7, 2012 · db076e4 · db076e4
2 parents 480a84e + ebe28c2
commit db076e4
Show file tree

Hide file tree

Showing 14 changed files with 115 additions and 33 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -31,5 +31,39 @@ def check_for_initial_install
   rescue_from CanCan::AccessDenied do |exception|
     redirect_to root_url, :flash => { :notice => exception.message }
   end
+
+  def auth!(options = {})
+    # action
+    # object
+    # allow_empty
+    action_map = {
+      'index' => :read,
+      'show' => :read,
+      'new' => :create,
+      'edit' => :update,
+      'create' => :create,
+      'update' => :update,
+      'destroy' => :destroy,
+    }
+
+    test_action = (options[:action] || action_map[action_name])
+    allow_empty = (options[:allow_empty] || true)
+
+    var_name = controller_name
+    if action_name != 'index'
+      var_name = controller_name.singularize
+    end
+    object = (options[:object] || instance_variable_get("@#{var_name}"))
+
+    if allow_empty && ((object.is_a? Enumerable) || (object.is_a? ActiveRecord::Relation))
+      object.delete_if {|o| cannot?(test_action, o)}
+    else
+      if cannot?(test_action, object)
+        fake_cancan = Class.new.extend(CanCan::Ability)
+        message ||= fake_cancan.unauthorized_message(test_action, object.class)
+        raise CanCan::AccessDenied.new(message, test_action, object.class)
+      end
+    end
+  end
 
 end
diff --git a/app/controllers/contents_controller.rb b/app/controllers/contents_controller.rb
@@ -1,6 +1,5 @@
 class ContentsController < ApplicationController
   before_filter :get_content_const, :only => [:new, :create]
-  load_and_authorize_resource :except => [:show]
 
   # Grab the constent object for the type of
   # content we're working with.  Probably needs
@@ -17,6 +16,7 @@ def get_content_const
   # GET /contents/1.xml
   def show
     @content = Content.find(params[:id])
+    auth!
 
     respond_to do |format|
       format.html # show.html.erb
@@ -45,8 +45,8 @@ def new
     if @content_const.nil? || @content_const.superclass != Content
       render :text => "Unrecognized content type.", :status => 400
     else
-
       @content = @content_const.new()
+      auth!
 
       respond_to do |format|
         format.html { } # new.html.erb
@@ -58,14 +58,15 @@ def new
   # GET /contents/1/edit
   def edit
     @content = Content.find(params[:id])
-    authorize! :update, @content
+    auth!
   end
 
   # POST /contents
   # POST /contents.xml
   def create
     @content =  @content_const.new(params[@content_const.model_name.singular])
     @content.user = current_user
+    auth!
 
     @feed_ids = []
     if params.has_key?("feed_id")
@@ -94,7 +95,7 @@ def create
   # PUT /contents/1.xml
   def update
     @content = Content.find(params[:id])
-    authorize! :update, @content
+    auth!
 
     respond_to do |format|
       if @content.update_attributes(params[:content])
@@ -115,7 +116,7 @@ def update
   # DELETE /contents/1.xml
   def destroy
     @content = Content.find(params[:id])
-    authorize! :delete, @content
+    auth!
 
     @content.destroy
 
@@ -130,6 +131,7 @@ def destroy
   # along for processing.  Should send an inline result of the processing.
   def display
     @content = Content.find(params[:id])
+    auth!(:action => :read)
     if stale?(:etag => params, :last_modified => @content.updated_at.utc, :public => true)
       @file = @content.render(params)
       send_data @file.file_contents, :filename => @file.file_name, :type => @file.file_type, :disposition => 'inline'

diff --git a/app/controllers/feeds_controller.rb b/app/controllers/feeds_controller.rb
@@ -1,9 +1,9 @@
 class FeedsController < ApplicationController
-  load_and_authorize_resource :except => [:index, :show]
   # GET /feeds
   # GET /feeds.xml
   def index
     @feeds = Feed.roots
+    auth!
 
     respond_to do |format|
       format.html { } # index.html.erb
@@ -16,6 +16,7 @@ def index
   # GET /feeds/1.xml
   def show
     @feed = Feed.find(params[:id])
+    auth!
 
     respond_to do |format|
       format.html { } # show.html.erb
@@ -28,6 +29,7 @@ def show
   # GET /feeds/new.xml
   def new
     @feed = Feed.new
+    auth!
 
     respond_to do |format|
       format.html # new.html.erb
@@ -38,12 +40,14 @@ def new
   # GET /feeds/1/edit
   def edit
     @feed = Feed.find(params[:id])
+    auth!
   end
 
   # POST /feeds
   # POST /feeds.xml
   def create
     @feed = Feed.new(params[:feed])
+    auth!
 
     respond_to do |format|
       if @feed.save
@@ -60,6 +64,7 @@ def create
   # PUT /feeds/1.xml
   def update
     @feed = Feed.find(params[:id])
+    auth!
 
     respond_to do |format|
       if @feed.update_attributes(params[:feed])
@@ -76,6 +81,7 @@ def update
   # DELETE /feeds/1.xml
   def destroy
     @feed = Feed.find(params[:id])
+    auth!
     @feed.destroy
 
     respond_to do |format|

diff --git a/app/controllers/fields_controller.rb b/app/controllers/fields_controller.rb
@@ -1,5 +1,4 @@
 class FieldsController < ApplicationController
-  load_and_authorize_resource
   before_filter :get_kind
 
   def get_kind
@@ -10,6 +9,7 @@ def get_kind
   # GET /kind/:kind_id/fields.xml
   def index
     @fields = @kind.fields
+    auth!
 
     respond_to do |format|
       format.html # index.html.erb
@@ -21,6 +21,7 @@ def index
   # GET /kind/:kind_id/fields/1.xml
   def show
     @field = Field.find(params[:id])
+    auth!
 
     respond_to do |format|
       format.html # show.html.erb
@@ -33,6 +34,7 @@ def show
   def new
     @field = Field.new
     @field.kind = @kind
+    auth!
 
     respond_to do |format|
       format.html # new.html.erb
@@ -43,13 +45,15 @@ def new
   # GET /kind/:kind_id/fields/1/edit
   def edit
     @field = Field.find(params[:id])
+    auth!
   end
 
   # POST /kind/:kind_id/fields
   # POST /kind/:kind_id/fields.xml
   def create
     @field = Field.new(params[:field])
     @field.kind = @kind
+    auth!
 
     respond_to do |format|
       if @field.save
@@ -66,6 +70,7 @@ def create
   # PUT /kind/:kind_id/fields/1.xml
   def update
     @field = Field.find(params[:id])
+    auth!
 
     respond_to do |format|
       if @field.update_attributes(params[:field])
@@ -82,6 +87,7 @@ def update
   # DELETE /kind/:kind_id/fields/1.xml
   def destroy
     @field = Field.find(params[:id])
+    auth!
     @field.destroy
 
     respond_to do |format|

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
@@ -1,9 +1,9 @@
 class GroupsController < ApplicationController
-  load_and_authorize_resource
   # GET /groups
   # GET /groups.xml
   def index
     @groups = Group.all
+    auth!
 
     respond_to do |format|
       format.html # index.html.erb
@@ -15,6 +15,7 @@ def index
   # GET /groups/1.xml
   def show
     @group = Group.find(params[:id])
+    auth!
 
     respond_to do |format|
       format.html # show.html.erb
@@ -26,6 +27,7 @@ def show
   # GET /groups/new.xml
   def new
     @group = Group.new
+    auth!
 
     respond_to do |format|
       format.html # new.html.erb
@@ -36,12 +38,14 @@ def new
   # GET /groups/1/edit
   def edit
     @group = Group.find(params[:id])
+    auth!
   end
 
   # POST /groups
   # POST /groups.xml
   def create
     @group = Group.new(params[:group])
+    auth!
 
     respond_to do |format|
       if @group.save
@@ -60,6 +64,7 @@ def create
   # PUT /groups/1.xml
   def update
     @group = Group.find(params[:id])
+    auth!
 
     respond_to do |format|
       if @group.update_attributes(params[:group])
@@ -76,6 +81,7 @@ def update
   # DELETE /groups/1.xml
   def destroy
     @group = Group.find(params[:id])
+    auth!
     @group.destroy
 
     respond_to do |format|

diff --git a/app/controllers/kinds_controller.rb b/app/controllers/kinds_controller.rb
@@ -1,10 +1,9 @@
 class KindsController < ApplicationController
-  load_and_authorize_resource
-
   # GET /kinds
   # GET /kinds.xml
   def index
     @kinds = Kind.all
+    auth!
 
     respond_to do |format|
       format.html # index.html.erb
@@ -16,6 +15,7 @@ def index
   # GET /kinds/1.xml
   def show
     @kind = Kind.find(params[:id])
+    auth!
 
     respond_to do |format|
       format.html # show.html.erb
@@ -27,6 +27,7 @@ def show
   # GET /kinds/new.xml
   def new
     @kind = Kind.new
+    auth!
 
     respond_to do |format|
       format.html # new.html.erb
@@ -37,12 +38,14 @@ def new
   # GET /kinds/1/edit
   def edit
     @kind = Kind.find(params[:id])
+    auth!
   end
 
   # POST /kinds
   # POST /kinds.xml
   def create
     @kind = Kind.new(params[:kind])
+    auth!
 
     respond_to do |format|
       if @kind.save
@@ -59,6 +62,7 @@ def create
   # PUT /kinds/1.xml
   def update
     @kind = Kind.find(params[:id])
+    auth!
 
     respond_to do |format|
       if @kind.update_attributes(params[:kind])
@@ -75,6 +79,7 @@ def update
   # DELETE /kinds/1.xml
   def destroy
     @kind = Kind.find(params[:id])
+    auth!
     @kind.destroy
 
     respond_to do |format|

diff --git a/app/controllers/memberships_controller.rb b/app/controllers/memberships_controller.rb
@@ -1,10 +1,13 @@
 class MembershipsController < ApplicationController
-  load_and_authorize_resource
-
+  before_filter :get_group
+
+  def get_group
+    @group = Group.find(params[:group_id])
+  end
+
   # POST /groups/:group_id/memberships
   # POST /groups/:group_id/memberships.xml
   def create
-    @group = Group.find(params[:group_id])
     @membership = Membership.find_or_create_by_user_id_and_group_id(params[:membership][:user_id], params[:group_id])
 
     if params[:autoconfirm]
@@ -27,7 +30,6 @@ def create
   # PUT /groups/:group_id/memberships/1
   # PUT /groups/:group_id/memberships/1.xml
   def update
-    @group = Group.find(params[:group_id])
     @membership = Membership.find(params[:id])
 
     respond_to do |format|
@@ -44,7 +46,6 @@ def update
   # DELETE /groups/1
   # DELETE /groups/1.xml
   def destroy
-    @group = Group.find(params[:group_id])
     @membership = Membership.find(params[:id])
     @membership.destroy