Add auth in all controllers

2025-03-22 13:07:12 +01:00 · 2025-03-22 13:07:12 +01:00 · 6b02eecb9b
commit 6b02eecb9b
parent 5472a400d1
11 changed files with 107 additions and 6 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -3,8 +3,7 @@ class ApplicationController < ActionController::Base
  include Pundit::Authorization

  before_action :set_title, :set_current_user
-  # TODO: add later
-  # after_action :verify_authorized
+  after_action :verify_authorized

  # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
  allow_browser versions: :modern
--- a/app/controllers/completions_controller.rb
+++ b/app/controllers/completions_controller.rb
@ -4,10 +4,14 @@ class CompletionsController < ApplicationController
  before_action :set_completion, only: %i[ destroy edit update ]

  def edit
+    authorize @contest
+
    @title = "Edit completion"
  end

  def new
+    authorize @contest
+
    @completion = Completion.new
    if params[:contestant_id]
      @completion.contestant_id = params[:contestant_id]
@ -16,6 +20,8 @@ class CompletionsController < ApplicationController
  end

  def create
+    authorize @contest
+
    @completion = Completion.new(completion_params)
    @completion.contest_id = @contest.id
    if @completion.save
@ -29,6 +35,8 @@ class CompletionsController < ApplicationController
  end

  def update
+    authorize @contest
+
    if params[:contestant_id]
      @completion.contestant_id = params[:contestant_id]
    end
@ -41,6 +49,8 @@ class CompletionsController < ApplicationController
  end

  def destroy
+    authorize @contest
+
    @completion.destroy
    if params[:contestant_id]
      redirect_to contest_contestant_path(@contest, params[:contestant_id])
--- a/app/controllers/contestants_controller.rb
+++ b/app/controllers/contestants_controller.rb
@ -4,15 +4,21 @@ class ContestantsController < ApplicationController
  before_action :set_completions, only: %i[edit update ]

  def edit
+    authorize @contest
+
    @title = "Contestant"
  end

  def new
+    authorize @contest
+
    @contestant = Contestant.new
    @title = "New contestant"
  end

  def create
+    authorize @contest
+
    @contestant = Contestant.new(contestant_params)
    @contestant.contest_id = @contest.id
    if @contestant.save
@ -24,6 +30,8 @@ class ContestantsController < ApplicationController
  end

  def update
+    authorize @contest
+
    if @contestant.update(contestant_params)
      redirect_to @contest
    else
@ -33,6 +41,8 @@ class ContestantsController < ApplicationController
  end

  def destroy
+    authorize @contest
+
    @contestant.destroy
    redirect_to contest_path(@contest)
  end
--- a/app/controllers/contests_controller.rb
+++ b/app/controllers/contests_controller.rb
@ -2,11 +2,15 @@ class ContestsController < ApplicationController
  before_action :set_contest, only: %i[ destroy edit show update ]

  def index
+    authorize :contest
+
    @contests = current_user.contests
    @title = "Welcome #{current_user.username}!"
  end

  def show
+    authorize @contest
+
    @title = @contest.name
    @contestants = @contest.contestants.order(:name)
    @puzzles = @contest.puzzles.order(:id)
@ -14,15 +18,21 @@ class ContestsController < ApplicationController
  end

  def edit
+    authorize @contest
+
    @title = "Edit contest settings"
  end

  def new
+    authorize :contest
+
    @contest = Contest.new
    @title = "New jigsaw puzzle competition"
  end

  def create
+    authorize :contest
+
    @contest = Contest.new(contest_params)
    @contest.user_id = current_user.id
    if @contest.save
@ -33,6 +43,8 @@ class ContestsController < ApplicationController
  end

  def update
+    authorize @contest
+
    if @contest.update(contest_params)
      redirect_to @contest
    else
@ -41,6 +53,7 @@ class ContestsController < ApplicationController
  end

  def destroy
+    authorize @contest
  end

  private
--- a/app/controllers/puzzles_controller.rb
+++ b/app/controllers/puzzles_controller.rb
@ -3,15 +3,21 @@ class PuzzlesController < ApplicationController
  before_action :set_puzzle, only: %i[ destroy edit update]

  def edit
+    authorize @contest
+
    @title = "Edit contest puzzle"
  end

  def new
+    authorize @contest
+
    @puzzle = Puzzle.new
    @title = "New contest puzzle"
  end

  def create
+    authorize @contest
+
    @puzzle = Puzzle.new(puzzle_params)
    @puzzle.contest_id = @contest.id
    if @puzzle.save
@ -23,6 +29,8 @@ class PuzzlesController < ApplicationController
  end

  def update
+    authorize @contest
+
    if @puzzle.update(puzzle_params)
      redirect_to @contest
    else
@ -32,6 +40,8 @@ class PuzzlesController < ApplicationController
  end

  def destroy
+    authorize @contest
+
    @puzzle.destroy
    redirect_to contest_path(@contest)
  end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -3,9 +3,11 @@ class SessionsController < ApplicationController
  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_url, alert: "Try again later." }

  def new
+    skip_authorization
  end

  def create
+    skip_authorization
    if user = User.authenticate_by(params.permit(:email_address, :password))
      start_new_session_for user
      redirect_to after_authentication_url
--- a/app/policies/completion_policy.rb
+++ b/app/policies/completion_policy.rb
@ -0,0 +1,9 @@
+class CompletionPolicy < ContestPolicy
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+end
--- a/app/policies/contest_policy.rb
+++ b/app/policies/contest_policy.rb
@ -0,0 +1,29 @@
+class ContestPolicy < ApplicationPolicy
+  def index?
+    true
+  end
+
+  def show?
+    record.user.id == user.id || user.admin?
+  end
+
+  def new?
+    true
+  end
+
+  def create?
+    true
+  end
+
+  def edit?
+    record.user.id == user.id || user.admin?
+  end
+
+  def update?
+    record.user.id == user.id || user.admin?
+  end
+
+  def destroy?
+    record.user.id == user.id || user.admin?
+  end
+end
--- a/app/policies/contestant_policy.rb
+++ b/app/policies/contestant_policy.rb
@ -0,0 +1,9 @@
+class ContestantPolicy < ContestPolicy
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+end
--- a/app/policies/puzzle_policy.rb
+++ b/app/policies/puzzle_policy.rb
@ -0,0 +1,9 @@
+class PuzzlePolicy < ContestPolicy
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+end
--- a/app/views/contests/index.html.slim
+++ b/app/views/contests/index.html.slim
@ -15,9 +15,10 @@
        .card-header
          = contest.name
        .card-body
+          .card-text.mb-2 = "#{contest.puzzles.length} puzzles - #{contest.contestants.length} participants"
          .row
-            - contest.puzzles.each do |puzzle|
-              - if puzzle.image.attached?
-                .col
-                  = image_tag puzzle.image, style: "max-height: 80px;"
+            .col
+              - contest.puzzles.each do |puzzle|
+                - if puzzle.image.attached?
+                  = image_tag puzzle.image, style: "max-height: 50px;", class: "mb-2 me-2"
          a.stretched-link href=contest_path(contest)