Add initial policy for BsRequest

To keep up with on-going code improvement, I would like to propose
an initial Pundit policy for BsRequest

src/api/app/controllers/request_controller.rb

@@ -144,28 +144,21 @@ def destroy
 
   # POST /request?cmd=create
   def request_create
-    xml = nil
     BsRequest.transaction do
-      parsed_xml = Xmlhash.parse(request.raw_post.to_s)
-
-      raise SaveError, 'Failed parsing the request xml' unless parsed_xml
-      raise SaveError, 'Request ID attribute not allowed when creating a request' if parsed_xml['id']
-
-      @req = BsRequest.new_from_hash(parsed_xml)
+      @req = BsRequest.new_from_xml(request.raw_post.to_s)
+      authorize @req, :create?
       @req.set_add_revision       if params[:addrevision].present?
       @req.set_ignore_build_state if params[:ignore_build_state].present?
       @req.save!
-
-      xml = @req.render_xml
-      Suse::Validator.validate(:request, xml)
+      Suse::Validator.validate(:request, @req.render_xml)
     end
 
     # cache the diff (in the backend)
     @req.bs_request_actions.each do |a|
       BsRequestActionWebuiInfosJob.perform_later(a)
     end
 
-    render xml: xml
+    render xml: @req.render_xml
   end
 
   def request_command_diff

src/api/app/policies/bs_request_policy.rb

@@ -0,0 +1,14 @@
+class BsRequestPolicy < ApplicationPolicy
+  def initialize(user, record)
+    raise Pundit::NotAuthorizedError, 'record does not exist' unless record
+    @user = user
+    @record = record
+  end
+
+  def create?
+    # new request should not have an id (BsRequest#number)
+    return false if @record.number
+    # dont let user set approver other than himself unless he is admin
+    ![nil, @user.login].include?(@record.approver) && !@user.is_admin? ? false : true
+  end
+end