diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a248e7e..46cf21b 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -3,8 +3,7 @@ class ApplicationController < ActionController::Base include Pundit::Authorization before_action :set_title, :set_current_user - # TODO: add later - # after_action :verify_authorized + after_action :verify_authorized # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has. allow_browser versions: :modern diff --git a/app/controllers/completions_controller.rb b/app/controllers/completions_controller.rb index 92769de..77e03a8 100644 --- a/app/controllers/completions_controller.rb +++ b/app/controllers/completions_controller.rb @@ -4,10 +4,14 @@ class CompletionsController < ApplicationController before_action :set_completion, only: %i[ destroy edit update ] def edit + authorize @contest + @title = "Edit completion" end def new + authorize @contest + @completion = Completion.new if params[:contestant_id] @completion.contestant_id = params[:contestant_id] @@ -16,6 +20,8 @@ class CompletionsController < ApplicationController end def create + authorize @contest + @completion = Completion.new(completion_params) @completion.contest_id = @contest.id if @completion.save @@ -29,6 +35,8 @@ class CompletionsController < ApplicationController end def update + authorize @contest + if params[:contestant_id] @completion.contestant_id = params[:contestant_id] end @@ -41,6 +49,8 @@ class CompletionsController < ApplicationController end def destroy + authorize @contest + @completion.destroy if params[:contestant_id] redirect_to contest_contestant_path(@contest, params[:contestant_id]) diff --git a/app/controllers/contestants_controller.rb b/app/controllers/contestants_controller.rb index ef95891..bed28ec 100644 --- a/app/controllers/contestants_controller.rb +++ b/app/controllers/contestants_controller.rb @@ -4,15 +4,21 @@ class ContestantsController < ApplicationController before_action :set_completions, only: %i[edit update ] def edit + authorize @contest + @title = "Contestant" end def new + authorize @contest + @contestant = Contestant.new @title = "New contestant" end def create + authorize @contest + @contestant = Contestant.new(contestant_params) @contestant.contest_id = @contest.id if @contestant.save @@ -24,6 +30,8 @@ class ContestantsController < ApplicationController end def update + authorize @contest + if @contestant.update(contestant_params) redirect_to @contest else @@ -33,6 +41,8 @@ class ContestantsController < ApplicationController end def destroy + authorize @contest + @contestant.destroy redirect_to contest_path(@contest) end diff --git a/app/controllers/contests_controller.rb b/app/controllers/contests_controller.rb index 93f0493..6d7928b 100644 --- a/app/controllers/contests_controller.rb +++ b/app/controllers/contests_controller.rb @@ -2,11 +2,15 @@ class ContestsController < ApplicationController before_action :set_contest, only: %i[ destroy edit show update ] def index + authorize :contest + @contests = current_user.contests @title = "Welcome #{current_user.username}!" end def show + authorize @contest + @title = @contest.name @contestants = @contest.contestants.order(:name) @puzzles = @contest.puzzles.order(:id) @@ -14,15 +18,21 @@ class ContestsController < ApplicationController end def edit + authorize @contest + @title = "Edit contest settings" end def new + authorize :contest + @contest = Contest.new @title = "New jigsaw puzzle competition" end def create + authorize :contest + @contest = Contest.new(contest_params) @contest.user_id = current_user.id if @contest.save @@ -33,6 +43,8 @@ class ContestsController < ApplicationController end def update + authorize @contest + if @contest.update(contest_params) redirect_to @contest else @@ -41,6 +53,7 @@ class ContestsController < ApplicationController end def destroy + authorize @contest end private diff --git a/app/controllers/puzzles_controller.rb b/app/controllers/puzzles_controller.rb index c30bae3..c105d67 100644 --- a/app/controllers/puzzles_controller.rb +++ b/app/controllers/puzzles_controller.rb @@ -3,15 +3,21 @@ class PuzzlesController < ApplicationController before_action :set_puzzle, only: %i[ destroy edit update] def edit + authorize @contest + @title = "Edit contest puzzle" end def new + authorize @contest + @puzzle = Puzzle.new @title = "New contest puzzle" end def create + authorize @contest + @puzzle = Puzzle.new(puzzle_params) @puzzle.contest_id = @contest.id if @puzzle.save @@ -23,6 +29,8 @@ class PuzzlesController < ApplicationController end def update + authorize @contest + if @puzzle.update(puzzle_params) redirect_to @contest else @@ -32,6 +40,8 @@ class PuzzlesController < ApplicationController end def destroy + authorize @contest + @puzzle.destroy redirect_to contest_path(@contest) end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 9785c92..13595bc 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -3,9 +3,11 @@ class SessionsController < ApplicationController rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_url, alert: "Try again later." } def new + skip_authorization end def create + skip_authorization if user = User.authenticate_by(params.permit(:email_address, :password)) start_new_session_for user redirect_to after_authentication_url diff --git a/app/policies/completion_policy.rb b/app/policies/completion_policy.rb new file mode 100644 index 0000000..9ed51d7 --- /dev/null +++ b/app/policies/completion_policy.rb @@ -0,0 +1,9 @@ +class CompletionPolicy < ContestPolicy + def index? + false + end + + def show? + false + end +end diff --git a/app/policies/contest_policy.rb b/app/policies/contest_policy.rb new file mode 100644 index 0000000..d6a9d0a --- /dev/null +++ b/app/policies/contest_policy.rb @@ -0,0 +1,29 @@ +class ContestPolicy < ApplicationPolicy + def index? + true + end + + def show? + record.user.id == user.id || user.admin? + end + + def new? + true + end + + def create? + true + end + + def edit? + record.user.id == user.id || user.admin? + end + + def update? + record.user.id == user.id || user.admin? + end + + def destroy? + record.user.id == user.id || user.admin? + end +end diff --git a/app/policies/contestant_policy.rb b/app/policies/contestant_policy.rb new file mode 100644 index 0000000..1b35919 --- /dev/null +++ b/app/policies/contestant_policy.rb @@ -0,0 +1,9 @@ +class ContestantPolicy < ContestPolicy + def index? + false + end + + def show? + false + end +end diff --git a/app/policies/puzzle_policy.rb b/app/policies/puzzle_policy.rb new file mode 100644 index 0000000..16e7645 --- /dev/null +++ b/app/policies/puzzle_policy.rb @@ -0,0 +1,9 @@ +class PuzzlePolicy < ContestPolicy + def index? + false + end + + def show? + false + end +end diff --git a/app/views/contests/index.html.slim b/app/views/contests/index.html.slim index 774e0cc..16b0fa4 100644 --- a/app/views/contests/index.html.slim +++ b/app/views/contests/index.html.slim @@ -15,9 +15,10 @@ .card-header = contest.name .card-body + .card-text.mb-2 = "#{contest.puzzles.length} puzzles - #{contest.contestants.length} participants" .row - - contest.puzzles.each do |puzzle| - - if puzzle.image.attached? - .col - = image_tag puzzle.image, style: "max-height: 80px;" + .col + - contest.puzzles.each do |puzzle| + - if puzzle.image.attached? + = image_tag puzzle.image, style: "max-height: 50px;", class: "mb-2 me-2" a.stretched-link href=contest_path(contest) \ No newline at end of file