Commit cf923a33 authored by Kaspar Vollenweider's avatar Kaspar Vollenweider 👻 Committed by Kaspar
Browse files

add missing authorize calls

parent 34b71a32
class ApplicationController < ActionController::Base
include Pundit
protect_from_forgery with: :exception
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
before_action :authenticate_user!
before_action :set_paper_trail_whodunnit
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
after_action :verify_authorized, unless: :devise_controller?
def after_sign_in_path_for(current_user)
return volunteer_path(current_user.volunteer.id) if current_user.volunteer?
......@@ -16,7 +17,9 @@ class ApplicationController < ActionController::Base
root_path
end
def home; end
def home
authorize :application, :home?
end
private
......
......@@ -4,8 +4,8 @@ class AssignmentsController < ApplicationController
before_action :set_assignment, only: [:show, :edit, :update, :destroy]
def index
@assignments = Assignment.all
authorize Assignment
@assignments = policy_scope(Assignment)
end
def show
......@@ -26,14 +26,11 @@ class AssignmentsController < ApplicationController
def edit; end
def create
@assignment = Assignment.new(assignment_params)
@assignment.creator = current_user
@assignment = Assignment.new(assignment_params.merge(creator_id: current_user.id))
@assignment.client.state = Client::RESERVED
@assignment.volunteer.state = Volunteer::ACTIVE
authorize @assignment
if @assignment.save
@assignment.client.state = Client::RESERVED
@assignment.client.save
@assignment.volunteer.state = Volunteer::ACTIVE
@assignment.volunteer.save
redirect_to assignments_url, make_notice
else
render :new
......
class DepartmentsController < ApplicationController
before_action :set_department, only: [:show, :edit, :update, :destroy]
include MakeNotice
before_action :set_department, only: [:show, :edit, :update, :destroy]
def index
authorize Department
@departments = policy_scope(Department)
end
......@@ -17,8 +19,8 @@ class DepartmentsController < ApplicationController
def create
@department = Department.new
@department.update_attributes(permitted_attributes(@department))
authorize @department
@department.update_attributes(permitted_attributes(@department))
if @department.save
redirect_to @department, make_notice
else
......
......@@ -5,6 +5,7 @@ class JournalsController < ApplicationController
before_action :set_journaled
def index
authorize Journal
@journals = Journal.where(journal_relations.except(:user_id))
end
......@@ -12,14 +13,14 @@ class JournalsController < ApplicationController
def new
@journal = Journal.new(journal_relations)
authorize(@journal)
authorize @journal
end
def edit; end
def create
@journal = Journal.new(journal_params.merge(journal_relations))
authorize(@journal)
authorize @journal
if @journal.save
redirect_to @journaled, make_notice
else
......@@ -52,7 +53,7 @@ class JournalsController < ApplicationController
def set_journal
@journal = Journal.find(params[:id])
authorize(@journal)
authorize @journal
end
def set_journaled
......
......@@ -15,12 +15,12 @@ class ProfilesController < ApplicationController
def create
@profile = Profile.new(profile_params)
authorize @profile
if @profile.save
redirect_to @profile, make_notice
else
render :new
end
authorize @profile
end
def update
......
class UsersController < ApplicationController
include ContactAttributes
before_action :set_user, only: [:show, :edit, :update, :destroy]
after_action :verify_authorized
def index
@users = User.all
authorize User
@users = User.all
end
def show; end
......@@ -19,13 +18,13 @@ class UsersController < ApplicationController
def create
@user = User.new user_params.merge(password: Devise.friendly_token)
authorize @user
if @user.save
@user.invite!
redirect_to users_path, notice: t('invite_sent', email: @user.email)
else
render :new
end
authorize @user
end
# only used to update the current user
......
......@@ -4,6 +4,7 @@ class VolunteerApplicationsController < ApplicationController
include VolunteerAttributes
skip_before_action :authenticate_user!
before_action :run_authorize
def new
@volunteer = Volunteer.new
......@@ -26,6 +27,10 @@ class VolunteerApplicationsController < ApplicationController
private
def run_authorize
authorize :volunteer_application, "#{action_name}?".to_sym
end
def volunteer_params
params.require(:volunteer).permit(volunteer_attributes)
end
......
......@@ -3,6 +3,7 @@ class VolunteerEmailsController < ApplicationController
before_action :translate_model_name, only: [:update, :destroy]
def index
authorize VolunteerEmail
@volunteer_emails = VolunteerEmail.all.order(created_at: :desc)
end
......@@ -17,8 +18,8 @@ class VolunteerEmailsController < ApplicationController
def create
@volunteer_email = VolunteerEmail.new(volunteer_email_params)
@volunteer_email.user = current_user
authorize @volunteer_email
@volunteer_email.user = current_user
if @volunteer_email.save
redirect_to @volunteer_email,
notice: t('crud.created', model: @volunteer_email.class.model_name.human)
......
......@@ -7,6 +7,7 @@ class VolunteersController < ApplicationController
before_action :set_volunteer, only: [:show, :edit, :update, :destroy]
def index
authorize Volunteer
@q = Volunteer.ransack(params[:q])
@volunteers = @q.result
end
......@@ -22,8 +23,8 @@ class VolunteersController < ApplicationController
def create
@volunteer = Volunteer.new(volunteer_params)
@volunteer.registrar = current_user
authorize @volunteer
@volunteer.registrar = current_user
if @volunteer.save
redirect_to @volunteer, notice: t('volunteer_created')
else
......@@ -48,6 +49,7 @@ class VolunteersController < ApplicationController
end
def seeking_clients
authorize Volunteer
@q = Volunteer.where(state: Volunteer::SEEKING_CLIENTS).ransack(params[:q])
@seeking_clients = @q.result
end
......
class Assignment < ApplicationRecord
belongs_to :client
accepts_nested_attributes_for :client
belongs_to :volunteer
accepts_nested_attributes_for :volunteer
belongs_to :creator, class_name: 'User', foreign_key: 'creator_id'
validates :client_id, uniqueness: { scope: :volunteer_id, message: I18n.t('assignment_exists') }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment