First attempt to refactor authorization layer

Author: enricostano

app/controllers/users_controller.rb

@@ -18,6 +18,8 @@ def scoped_users
   # GET /organizations/:id/members
   #
   def index
+    authorize @organization, :show?
+
     @users = scoped_users
     @memberships = @organization.members.
                    where(user_id: @users.map(&:id)).
@@ -29,6 +31,8 @@ def index
   # GET /members/:user_id
   #
   def show
+    authorize @organization, :show?
+
     @user = find_user
     authorize @user
 
@@ -38,17 +42,21 @@ def show
   end
 
   def new
-    authorize User
+    authorize @organization, :admin?
+
     @user = scoped_users.build
   end
 
   def edit
-    @user = find_user
+    @user = User.find_by_id(params[:id])
+
+    # TODO: raise 404
+    raise unless @user
+
+    authorize @user
   end
 
   def create
-    authorize User
-
     # New User
     email = user_params[:email]
     @user = User.find_or_initialize_by(email: email) do |u|

app/policies/application_policy.rb

@@ -1,10 +1,8 @@
 class ApplicationPolicy
-  attr_reader :member, :user, :organization, :record
+  attr_reader :user, :record
 
-  def initialize(member, record)
-    @member = member
-    @user = member.user if member
-    @organization = member.organization if member
+  def initialize(user, record)
+    @user = user
     @record = record
   end
 
@@ -13,7 +11,7 @@ def index?
   end
 
   def show?
-    scope.where(id: record.id).exists?
+    false
   end
 
   def create?
@@ -35,23 +33,4 @@ def edit?
   def destroy?
     false
   end
-
-  def scope
-    Pundit.policy_scope!(member, record.class)
-  end
-
-  class Scope
-    attr_reader :member, :user, :organization, :scope
-
-    def initialize(member, scope)
-      @member = member
-      @user = member.user if member
-      @organization = member.organization if member
-      @scope = scope
-    end
-
-    def resolve
-      scope
-    end
-  end
 end

app/policies/organization_policy.rb

@@ -0,0 +1,9 @@
+class OrganizationPolicy < ApplicationPolicy
+  def show?
+    user.member(record).present?
+  end
+
+  def admin?
+    user.admins?(record)
+  end
+end

app/policies/user_policy.rb

@@ -1,4 +1,8 @@
 class UserPolicy < ApplicationPolicy
+  def show?
+    true
+  end
+
   def new?
     user.admins?(organization)
   end
@@ -14,19 +18,4 @@ def update?
       user.admins?(organization)
     )
   end
-
-  class Scope < ApplicationPolicy::Scope
-    attr_reader :member, :user, :organization, :scope
-
-    def initialize(user, scope)
-      @member = member
-      @user = member.user if member
-      @organization = member.organization if member
-      @scope = scope
-    end
-
-    def resolve
-      scope
-    end
-  end
 end

app/views/organizations/index.html.erb

@@ -27,7 +27,7 @@
         <td><%= link_to org.name, org %></td>
         <td><%= org.users.count %></td>
         <td class="hover-actions">
-          <% if current_user.admins?(org) %>
+          <% if current_user && current_user.admins?(org) %>
             <%= link_to edit_organization_path(org), class: 'action' do %>
               <%= glyph :pencil %>
               <%= t 'global.edit' %>

app/views/organizations/show.html.erb

@@ -109,16 +109,18 @@
           <% end %>
         </li>
       <% end %>
-      <li>
-        <%= link_to give_time_organization_path(@organization) do %>
-          <%= glyph :time %>
-          <%= t "global.give_time" %>
-        <% end %>
-      </li>
+      <% if current_user && current_user.member(@organization) %>
+        <li>
+          <%= link_to give_time_organization_path(@organization) do %>
+            <%= glyph :time %>
+            <%= t "global.give_time" %>
+          <% end %>
+        </li>
+      <% end %>
     </ul>
   </div>
 </div>
 
-<% if current_user %>
+<% if current_user && current_user.member(@organization) %>
   <%= render "shared/movements" %>
 <% end %>

app/views/users/show.html.erb

@@ -2,7 +2,7 @@
   <div class="panel-body">
     <h1>
       <small>
-        <% unless  @member.active %>
+        <% unless @member.active %>
           <%= t ".inactive" %>
         <% end %>
       </small>