Replace require_login with Pundit in Webui::Users::TasksController

This is a PR of a series which replaces `require_login` with `Pundit`.
You can find further relevant info in #10083.

Tackles Webui::Users::TasksController

Ref #10083

src/api/app/controllers/webui/users/tasks_controller.rb

@@ -1,7 +1,11 @@
 module Webui
   module Users
     class TasksController < WebuiController
-      before_action :require_login
+      # TODO: Remove this when we'll refactor kerberos_auth
+      before_action :kerberos_auth
+      before_action -> { authorize([:users, :task]) }
+
+      after_action :verify_authorized
     end
   end
 end

src/api/app/policies/users/task_policy.rb

@@ -0,0 +1,11 @@
+module Users
+  class TaskPolicy < ApplicationPolicy
+    def initialize(user, record, opts = {})
+      super(user, record, opts.merge(ensure_logged_in: true))
+    end
+
+    def index?
+      true
+    end
+  end
+end

src/api/spec/controllers/webui/users/tasks_controller_spec.rb

@@ -0,0 +1,10 @@
+require 'rails_helper'
+
+RSpec.describe Webui::Users::TasksController do
+  describe 'GET #index' do
+    it_behaves_like 'require logged in user' do
+      let(:method) { :get }
+      let(:action) { :index }
+    end
+  end
+end

src/api/spec/policies/users/task_policy_spec.rb

@@ -0,0 +1,17 @@
+require 'rails_helper'
+
+RSpec.describe Users::TaskPolicy do
+  let(:user) { create(:user) }
+  let(:user_nobody) { build(:user_nobody) }
+
+  subject { described_class }
+
+  permissions :index? do
+    it { is_expected.to permit(user, [:users, :task]) }
+  end
+
+  it "doesn't permit anonymous user" do
+    expect { described_class.new(user_nobody, [:users, :task]) }
+      .to raise_error(an_instance_of(Pundit::NotAuthorizedError).and(having_attributes(reason: :anonymous_user)))
+  end
+end