Merge pull request #110 from dtaniwaki/handle-soft-deleted-link

Disallow access on records associated to soft-deleted test
dtaniwaki · Jun 21, 2016 · 68e7f2c · 68e7f2c
2 parents 4753921 + 4a58975
commit 68e7f2c
Show file tree

Hide file tree

Showing 8 changed files with 47 additions and 18 deletions.
diff --git a/app/models/test_execution.rb b/app/models/test_execution.rb
@@ -9,6 +9,7 @@ class TestExecution < ApplicationRecord
 
   scope :with_user, ->(user) { where(user_id: user.is_a?(ActiveRecord::Base) ? user.id : user) }
   scope :with_test_version, ->(test_version) { where(test_version_id: test_version.is_a?(ActiveRecord::Base) ? test_version.id : test_version) }
+  scope :without_deleted, -> { joins(:test).merge(Test.without_deleted) }
 
   enum state: { initial: 0, running: 1, done: 2, failed: 3 }
 

diff --git a/app/models/test_version.rb b/app/models/test_version.rb
@@ -8,6 +8,7 @@ class TestVersion < TestStepSet
 
   scope :with_user, ->(user) { joins(:user_test_versions).merge(UserTestVersion.where(user_id: user.is_a?(ActiveRecord::Base) ? user.id : user)) }
   scope :with_test, ->(test) { where(test_id: test.is_a?(ActiveRecord::Base) ? test.id : test) }
+  scope :without_deleted, -> { joins(:test).merge(Test.without_deleted) }
 
   after_create :assign_current_test_version!
 

diff --git a/app/policies/test_execution_policy.rb b/app/policies/test_execution_policy.rb
@@ -4,27 +4,33 @@ def index?
   end
 
   def show?
-    @record.with_authorized_token? ||
+    @record.test.present? && @record.test_version.present? && (
+      @record.with_authorized_token? ||
       @record.user == @user ||
       @record.test.user_tests.with_user(@user).exists?
+    )
   end
 
   def create?
-    @record.test_version.user_test_versions.with_user(@user).exists? ||
+    @record.test.present? && @record.test_version.present? && (
+      @record.test_version.user_test_versions.with_user(@user).exists? ||
       @record.test.user_tests.with_user(@user).exists?
+    )
   end
 
   def done?
-    @record.user == @user ||
+    @record.test.present? && @record.test_version.present? && (
+      @record.user == @user ||
       @record.test.user_tests.with_user(@user).exists?
+    )
   end
 
   class Scope < Scope
     def resolve
       if @context && @user.user_tests.with_test(@context.test).exists?
-        scope
+        scope.without_deleted
       else
-        scope.with_user(@user)
+        scope.with_user(@user).without_deleted
       end
     end
   end

diff --git a/app/policies/test_execution_share_policy.rb b/app/policies/test_execution_share_policy.rb
@@ -4,14 +4,20 @@ def index?
   end
 
   def create?
-    @record.test_execution.user == @user
+    @record.test_execution.test.present? &&
+      @record.test_execution.test_version.present? &&
+      @record.test_execution.user == @user
   end
 
   def update?
-    @record.test_execution.user == @user
+    @record.test_execution.test.present? &&
+      @record.test_execution.test_version.present? &&
+      @record.test_execution.user == @user
   end
 
   def destroy?
-    @record.test_execution.user == @user
+    @record.test_execution.test.present? &&
+      @record.test_execution.test_version.present? &&
+      @record.test_execution.user == @user
   end
 end
diff --git a/app/policies/test_step_execution_policy.rb b/app/policies/test_step_execution_policy.rb
@@ -4,8 +4,10 @@ def index?
   end
 
   def show?
-    @record.test_execution.with_authorized_token? ||
+    @record.test_execution.test.present? && @record.test_execution.test_version.present? && (
+      @record.test_execution.with_authorized_token? ||
       @record.test_execution.user == @user ||
       @record.test_execution.test.user_tests.with_user(@user).exists?
+    )
   end
 end
diff --git a/app/policies/test_version_policy.rb b/app/policies/test_version_policy.rb
@@ -4,8 +4,10 @@ def index?
   end
 
   def show?
-    @record.user_test_versions.with_user(@user).exists? ||
+    @record.test.present? && (
+      @record.user_test_versions.with_user(@user).exists? ||
       (@record.test && @record.test.user_tests.with_user(@user).exists?)
+    )
   end
 
   def create?
@@ -17,6 +19,7 @@ def update?
   end
 
   def destroy?
-    (@record.test && @record.test.user_tests.with_user(@user).exists?)
+    @record.test.present? &&
+      (@record.test && @record.test.user_tests.with_user(@user).exists?)
   end
 end
diff --git a/app/policies/user_test_policy.rb b/app/policies/user_test_policy.rb
@@ -4,19 +4,23 @@ def index?
   end
 
   def show?
-    @record.user == @user
+    @record.test.present? &&
+      @record.user == @user
   end
 
   def create?
-    @record.test.user_tests.with_user(@user).exists?
+    @record.test.present? &&
+      @record.test.user_tests.with_user(@user).exists?
   end
 
   def update?
-    @record.user == @user
+    @record.test.present? &&
+      @record.user == @user
   end
 
   def destroy?
-    @record.test.user_tests.with_user(@user).exists? &&
+    @record.test.present? &&
+      @record.test.user_tests.with_user(@user).exists? &&
       @record.user != @user
   end
 end
diff --git a/app/policies/user_test_version_policy.rb b/app/policies/user_test_version_policy.rb
@@ -4,15 +4,21 @@ def index?
   end
 
   def create?
-    @record.test.user_tests.with_user(@user).exists?
+    @record.test.present? &&
+      @record.test_version.present? &&
+      @record.test.user_tests.with_user(@user).exists?
   end
 
   def update?
-    @record.user == @user
+    @record.test.present? &&
+      @record.test_version.present? &&
+      @record.user == @user
   end
 
   def destroy?
-    @record.test.user_tests.with_user(@user).exists? &&
+    @record.test.present? &&
+      @record.test_version.present? &&
+      @record.test.user_tests.with_user(@user).exists? &&
       @record.user != @user
   end
 end