Skip to content

Commit

Permalink
Replace require_login with Pundit in Webui::Users::SubscriptionsCon…
Browse files Browse the repository at this point in the history
…troller

This is a PR of a series which replaces `require_login` with `Pundit`.
You can find further relevant info in #10083.

Tackles Webui::Users::SubscriptionsController

Ref #10083
  • Loading branch information
intrip committed Oct 7, 2020
1 parent a433b01 commit 56ede78
Show file tree
Hide file tree
Showing 4 changed files with 88 additions and 23 deletions.
25 changes: 16 additions & 9 deletions src/api/app/controllers/webui/users/subscriptions_controller.rb
Original file line number Diff line number Diff line change
@@ -1,29 +1,36 @@
class Webui::Users::SubscriptionsController < Webui::WebuiController
before_action :require_login
# TODO: Remove this when we'll refactor kerberos_auth
before_action :kerberos_auth

after_action :verify_authorized

def index
@subscriptions_form = authorize(subscriptions_form(default_form: params[:default_form]))

@user = User.session!
@groups_users = @user.groups_users

@subscriptions_form = subscriptions_form(default_form: params[:default_form])

respond_to do |format|
format.html
format.js
end
end

def update
@subscriptions_form = authorize(subscriptions_form)

User.session!.groups_users.each do |gu|
gu.email = params[gu.group.title] == '1'
gu.save
end

subscriptions_form.update!(params[:subscriptions]) if params[:subscriptions]
flash.now[:success] = 'Notifications settings updated'
rescue ActiveRecord::RecordInvalid => e
flash.now[:error] = "Notifications settings could not be updated due to an error: #{e.message}"
ensure
begin
@subscriptions_form.update!(params[:subscriptions]) if params[:subscriptions]
flash.now[:success] = 'Notifications settings updated'
rescue ActiveRecord::RecordInvalid => e
flash.now[:error] = "Notifications settings could not be updated due to an error: #{e.message}"
end

respond_to do |format|
format.html { redirect_to action: :index }
format.js { render 'webui/users/subscriptions/update' }
Expand All @@ -36,7 +43,7 @@ def subscriptions_form(options = {})
if options[:default_form]
EventSubscription::Form.new
else
EventSubscription::Form.new(User.session!)
EventSubscription::Form.new(User.session)
end
end
end
23 changes: 23 additions & 0 deletions src/api/app/policies/event_subscription/form_policy.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
class EventSubscription
class FormPolicy < ApplicationPolicy
def initialize(user, record, opts = {})
super(user, record, opts.merge(ensure_logged_in: true))
end

def index?
user_is_subscriber?
end

def update?
user_is_subscriber?
end

private

def user_is_subscriber?
return true unless record.subscriber

user == record.subscriber
end
end
end
Original file line number Diff line number Diff line change
Expand Up @@ -2,31 +2,44 @@

RSpec.describe Webui::Users::SubscriptionsController do
describe 'GET #index' do
let!(:user) { create(:confirmed_user) }

before do
login user
get :index
it_behaves_like 'require logged in user' do
let(:method) { :get }
let(:action) { :index }
end

it { expect(response).to have_http_status(:success) }
it { expect(response).to render_template(:index) }
it { is_expected.to use_before_action(:require_login) }
context 'for logged in user' do
let!(:user) { create(:confirmed_user) }

before do
login user
get :index
end

it { expect(response).to have_http_status(:success) }
it { expect(response).to render_template(:index) }
end
end

describe 'PUT #update' do
include_context 'a user and subscriptions with defaults'

let(:params) { { subscriptions: subscription_params } }

before do
login user
put :update, params: params
it_behaves_like 'require logged in user' do
let(:method) { :put }
let(:action) { :update }
let(:opts) { { params: params } }
end

it { expect(response).to redirect_to(action: :index) }
it { is_expected.to use_before_action(:require_login) }
context 'for logged in user' do
before do
login user
put :update, params: params
end

it { expect(response).to redirect_to(action: :index) }

it_behaves_like 'a subscriptions form for subscriber'
it_behaves_like 'a subscriptions form for subscriber'
end
end
end
22 changes: 22 additions & 0 deletions src/api/spec/policies/event_subscription/form_policy_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
require 'rails_helper'

RSpec.describe EventSubscription::FormPolicy do
let(:user) { create(:user_with_groups) }
let(:other_user) { create(:user_with_groups) }
let(:user_nobody) { build(:user_nobody) }
let(:event_subscription_form) { EventSubscription::Form.new }
let(:event_subscription_form_user) { EventSubscription::Form.new(user) }

subject { described_class }

permissions :index?, :update? do
it { is_expected.to permit(user, event_subscription_form_user) }
it { is_expected.to permit(other_user, event_subscription_form) }
it { is_expected.not_to permit(other_user, event_subscription_form_user) }
end

it "doesn't permit anonymous user" do
expect { described_class.new(user_nobody, event_subscription_form) }
.to raise_error(an_instance_of(Pundit::NotAuthorizedError).and(having_attributes(reason: :anonymous_user)))
end
end

0 comments on commit 56ede78

Please sign in to comment.