From c6ace605fbfff87de67f4e29dd9952eb2eda10ad Mon Sep 17 00:00:00 2001 From: f Date: Fri, 28 Sep 2018 14:15:09 -0300 Subject: [PATCH] autorizacion para posts --- app/controllers/posts_controller.rb | 8 +++++ app/policies/post_policy.rb | 48 +++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 app/policies/post_policy.rb diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb index d8914bce..225e3c40 100644 --- a/app/controllers/posts_controller.rb +++ b/app/controllers/posts_controller.rb @@ -23,9 +23,11 @@ class PostsController < ApplicationController @site = find_site @lang = find_lang(@site) @post = find_post(@site) + authorize @post end def new + authorize Post @site = find_site @lang = find_lang(@site) @template = find_template(@site) @@ -36,6 +38,7 @@ class PostsController < ApplicationController end def create + authorize Post @site = find_site @lang = find_lang(@site) @template = find_template(@site) @@ -53,12 +56,17 @@ class PostsController < ApplicationController @site = find_site @lang = find_lang(@site) @post = find_post(@site) + + authorize @post end def update @site = find_site @lang = find_lang(@site) @post = find_post(@site) + + authorize @post + @post.update_attributes(repair_nested_params(post_params)) if @post.save diff --git a/app/policies/post_policy.rb b/app/policies/post_policy.rb new file mode 100644 index 00000000..f3aaba15 --- /dev/null +++ b/app/policies/post_policy.rb @@ -0,0 +1,48 @@ +class PostPolicy < SuttyPolicy + attr_reader :post + + def initialize(usuarix, post) + @usuarix = usuarix + @post = post + end + + def index? + true + end + + # Lxs invitadxs solo pueden ver sus propios posts + def show? + usuaria? || post.author == usuarix.email + end + + def new? + create? + end + + def create? + true + end + + def edit? + update? + end + + # Lxs invitadxs solo pueden modificar sus propios artículos + def update? + usuaria? || post.author == usuarix.email + end + + class Scope < SuttyPolicy::Scope + # Las usuarias pueden ver todos los posts + # + # Lxs invitadxs solo pueden ver sus propios posts + def resolve + return scope if usuaria? + + # Asegurarse que al menos devolvemos [] + [scope.find do |post| + post.author == usuarix.email + end].flatten.compact + end + end +end