Skip to content

Commit

Permalink
Make projects only visible to users with
Browse files Browse the repository at this point in the history 
permission to see them
  • Loading branch information
@xdite
xdite committed Sep 26, 2012
1 parent d56e57d commit 1fc8b84
Show file tree
Hide file tree
Showing 14 changed files with 96 additions and 25 deletions.
2 changes: 1 addition & 1 deletion .rspec
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
--color
--color --drb
16 changes: 10 additions & 6 deletions app/controllers/projects_controller.rb
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
class ProjectsController < ApplicationController

before_filter :authorize_admin!, :except => [:index, :show]
before_filter :find_project, :only => [:show,
:edit,
:update,
:destroy]
before_filter :authenticate_user!, :only => [:show]
before_filter :find_project, :only => [:show, :edit, :update, :destroy]

def index
@projects = Project.all
end
Expand Down Expand Up @@ -54,11 +53,16 @@ def destroy
private

def find_project
@project = Project.find(params[:id])
@project = if current_user.admin?
Project.find(params[:id])
else
Project.viewable_by(current_user).find(params[:id])
end

rescue ActiveRecord::RecordNotFound
flash[:alert] = "The project you were looking" +" for could not be found."
redirect_to projects_path
end


end
5 changes: 5 additions & 0 deletions app/models/permission.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
class Permission < ActiveRecord::Base
attr_accessible :user, :action, :thing
belongs_to :user
belongs_to :thing, :polymorphic => true
end
10 changes: 8 additions & 2 deletions app/models/project.rb
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
class Project < ActiveRecord::Base
attr_accessible :description, :name

has_many :tickets


validates_presence_of :name
validates :name, :presence => true, :uniqueness => true
has_many :permissions, :as => :thing

def self.viewable_by(user)
joins(:permissions).where(:permissions => { :action => "view", :user_id => user.id })
end


end
11 changes: 11 additions & 0 deletions db/migrate/20120925104719_create_permissions.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
class CreatePermissions < ActiveRecord::Migration
def change
create_table :permissions do |t|
t.integer :user_id
t.integer :thing_id
t.string :thing_type
t.string :action
t.timestamps
end
end
end
11 changes: 10 additions & 1 deletion db/schema.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,16 @@
#
# It's strongly recommended to check this file into your version control system.

ActiveRecord::Schema.define(:version => 20120925094613) do
ActiveRecord::Schema.define(:version => 20120925104719) do

create_table "permissions", :force => true do |t|
t.integer "user_id"
t.integer "thing_id"
t.string "thing_type"
t.string "action"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end

create_table "projects", :force => true do |t|
t.string "name"
Expand Down
11 changes: 10 additions & 1 deletion spec/controllers/projects_controller_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
require 'spec_helper'

describe ProjectsController do
let(:project) { mock_model(Project, :id => 1) }
let(:project) { FactoryGirl.create(:project) }

let(:user) { FactoryGirl.create(:confirmed_user) }

context "standard users" do
before do
sign_in(:user, user)
end

it "cannot access the new action" do
get :new
response.should redirect_to('/')
Expand All @@ -17,10 +18,18 @@
end

it "displays an error for a missing project" do
sign_in(:user, user)
get :show, :id => "not-here"
response.should redirect_to(projects_path)
message = "The project you were looking for could not be found."
flash[:alert].should == message
end

it "cannot access the show action without permission" do
sign_in(:user, user)
get :show, :id => project.id
response.should redirect_to(projects_path)
flash[:alert].should eql("The project you were looking " + "for could not be found.")
end

end
12 changes: 4 additions & 8 deletions spec/integration/creating_tickets_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,13 @@
require 'spec_helper'
feature "Creating Tickets" do
before do
FactoryGirl.create(:project, :name => "Internet Explorer")
user = FactoryGirl.create(:user, :email => "ticketee@example.com")
user.confirm!
project = FactoryGirl.create(:project, :name => "Internet Explorer")
user = FactoryGirl.create(:confirmed_user, :email => "ticketee@example.com")
define_permission!(user, "view", project)
sign_in_as!(user)
visit '/'
click_link "Internet Explorer"
click_link "New Ticket"
message = "You need to sign in or sign up before continuing."
page.should have_content(message)
fill_in "Email", :with => "ticketee@example.com"
fill_in "Password", :with => "password"
click_button "Sign in"
within("h2") { page.should have_content("New Ticket") }
end
scenario "Creating a ticket" do
Expand Down
1 change: 1 addition & 0 deletions spec/integration/deleting_tickets_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
ticket
end
before do
define_permission!(user, "view", project)
sign_in_as!(user)
visit '/'
click_link project.name
Expand Down
1 change: 1 addition & 0 deletions spec/integration/editing_tickets_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
end

before do
define_permission!(user, "view", project)
sign_in_as!(user)
visit '/'
click_link project.name
Expand Down
11 changes: 11 additions & 0 deletions spec/integration/viewing_projects_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,15 @@
require 'spec_helper'

feature "Viewing projects" do

let!(:user) { FactoryGirl.create(:confirmed_user) }
let!(:project) { FactoryGirl.create(:project) }

before do
sign_in_as!(user)
define_permission!(user, :view, project)
end

scenario "Listing all projects" do
project = FactoryGirl.create(:project, :name => "TextMate 2")
visit '/'
Expand Down
15 changes: 9 additions & 6 deletions spec/integration/viewing_tickets_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,21 @@
before do

textmate_2 = FactoryGirl.create(:project, :name => "TextMate 2")
user = FactoryGirl.create(:user)
user = FactoryGirl.create(:confirmed_user)

ticket = FactoryGirl.create(:ticket,
:project => textmate_2,
:title => "Make it shiny!",
:description => "Gradients! Starbursts! Oh my!")
:project => textmate_2,
:title => "Make it shiny!",
:description => "Gradients! Starbursts! Oh my!")
ticket.update_attribute(:user, user)
internet_explorer = FactoryGirl.create(:project, :name => "Internet Explorer")
FactoryGirl.create(:ticket,
:project => internet_explorer,
:title => "Standards compliance",
:description => "Isn't a joke.")

sign_in_as!(user)
define_permission!(user, "view", textmate_2)
define_permission!(user, "view", internet_explorer)
visit '/'
end
scenario "Viewing tickets for a given project" do
Expand All @@ -28,5 +31,5 @@
end
page.should have_content("Gradients! Starbursts! Oh my!")
end

end
5 changes: 5 additions & 0 deletions spec/models/permission_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
require 'spec_helper'

describe Permission do
pending "add some examples to (or delete) #{__FILE__}"
end
10 changes: 10 additions & 0 deletions spec/support/authorization_helpers.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
module AuthorizationHelpers
def define_permission!(user, action, thing)
Permission.create!(:user => user,
:action => action,
:thing => thing)
end
end
RSpec.configure do |c|
c.include AuthorizationHelpers
end

0 comments on commit 1fc8b84

Please sign in to comment.