VietTH: Apply permission to order resource. Use gem cancan

92e948d5 · Tran Hoang Viet · f308e16c · 92e948d5 · 92e948d5 · 92e948d5
Commit 92e948d5 authored Jul 17, 2015 by Tran Hoang Viet
Showing with 38 additions and 6 deletions

Gemfile
+3 -3

Gemfile.lock
+2 -0

app/controllers/application_controller.rb
+4 -0

app/controllers/orders_controller.rb
+2 -0

app/models/ability.rb
+24 -0

app/models/role.rb
+1 -1

app/views/orders/show.html.haml
+2 -2

No files found.
--- a/Gemfile
+++ b/Gemfile
@@ -68,6 +68,8 @@ gem 'settingslogic', '~> 2.0.9'
 gem 'draper', '~> 2.1.0'
 gem 'devise', '~> 3.5.1'
+gem 'rolify', '~> 4.0.0'
+gem 'cancan', '~> 1.6.10'
 gem 'carrierwave', '~> 0.10.0'
 gem 'mini_magick', '~> 3.8.1'
@@ -97,5 +99,3 @@ gem 'cartman', '~> 2.1.2'
 gem 'font-awesome-rails', '~> 4.3.0.0'
 gem 'meta-tags', '~> 2.0.0'
\ No newline at end of file
-gem 'rolify', '~> 4.0.0'
\ No newline at end of file
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -47,6 +47,7 @@ GEM
    builder (3.2.2)
    byebug (5.0.0)
      columnize (= 0.9.0)
+    cancan (1.6.10)
    capistrano (3.4.0)
      i18n
      rake (>= 10.0.0)
@@ -326,6 +327,7 @@ PLATFORMS
 DEPENDENCIES
  byebug
+  cancan (~> 1.6.10)
  capistrano-rails
  capistrano-rvm
  capistrano-sidekiq (~> 0.5.2)

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,6 +2,10 @@ class ApplicationController < ActionController::Base
  include MetaManagement
  rescue_from ActiveRecord::RecordNotFound, :with => :record_not_found
+  rescue_from CanCan::AccessDenied do |exception|
+    redirect_to root_path, :alert => exception.message
+  end
  layout Proc.new { |controller| controller.devise_controller? ? 'devise' : 'application' }
  # Prevent CSRF attacks by raising an exception.

--- a/app/controllers/orders_controller.rb
+++ b/app/controllers/orders_controller.rb
 class OrdersController < ApplicationController
+  load_and_authorize_resource :order, only: [:show, :update]
  before_action :authenticate_user!
  before_action :set_order, only: [:show, :update]

--- a/app/models/ability.rb
+++ b/app/models/ability.rb
+class Ability
+  include CanCan::Ability
+  attr_reader :user
+  def initialize(current_user)
+    @user = current_user || User.new # guest user (not logged in)
+    if user.admin?
+      permission_admin
+    else
+      permission_user
+    end
+  end
+  def permission_admin
+    can :manage, :all
+  end
+  def permission_user
+    can :read, Order do |order|
+      order.user == user
+    end
+  end
+end
--- a/app/models/role.rb
+++ b/app/models/role.rb
 class Role < ActiveRecord::Base
-  has_and_belongs_to_many :users, join_table: :users_roles
+  has_many :users, through: :users_roles
  belongs_to :resource, :polymorphic => true
  validates :resource_type,

--- a/app/views/orders/show.html.haml
+++ b/app/views/orders/show.html.haml
@@ -24,12 +24,12 @@
    .form-group
      %label.col-md-2.col-sm-3.col-xs-3.control-label Status
      .col-md-2.col-sm-9.col-xs-9.value
-        - if current_user.admin?
+        - if can?(:update, f.object)
          = f.select :status, Order.statuses.keys.map { |status| [status.titleize, status] }, {}, class: 'form-control'
        - else
          = f.object.status.titleize
-    - if current_user.admin?
+    - if can?(:update, f.object)
      .form-group
        %label.col-md-2.col-sm-3.col-xs-3.control-label
        .col-md-2.col-sm-4.col-xs-9