From 83f17e7e3234fd8327c5df713de22f90f805382b Mon Sep 17 00:00:00 2001 From: Melchor De La Rosa Date: Thu, 12 Dec 2024 10:48:07 -0500 Subject: [PATCH 1/2] refactor: refactors company controller policies and tests to include authorization Co-authored-by: Jim Macur --- .../api/v1/companies_controller.rb | 7 +- app/models/company.rb | 1 + app/policies/company_policy.rb | 27 ++++-- db/schema.rb | 25 +++--- spec/policies/company_policy_spec.rb | 87 ++++++++++++++++--- 5 files changed, 109 insertions(+), 38 deletions(-) diff --git a/app/controllers/api/v1/companies_controller.rb b/app/controllers/api/v1/companies_controller.rb index 33fa4c6..8a2dceb 100644 --- a/app/controllers/api/v1/companies_controller.rb +++ b/app/controllers/api/v1/companies_controller.rb @@ -4,8 +4,8 @@ class CompaniesController < ApplicationController before_action :authenticate_user def index - companies = @current_user.companies - + companies = policy_scope(@current_user.companies) + authorize companies if companies.empty? render json: { data: [], message: "No companies found" } else @@ -14,6 +14,7 @@ def index end def create + authorize Company company = @current_user.companies.build(company_params) if company.save render json: CompanySerializer.new(company), status: :created @@ -27,6 +28,8 @@ def create def company_params params.permit(:name, :website, :street_address, :city, :state, :zip_code, :notes) end + + end end end \ No newline at end of file diff --git a/app/models/company.rb b/app/models/company.rb index 381123d..79927bd 100644 --- a/app/models/company.rb +++ b/app/models/company.rb @@ -1,4 +1,5 @@ class Company < ApplicationRecord + rolify strict: true belongs_to :user validates :name, presence: true validates :website, presence: true diff --git a/app/policies/company_policy.rb b/app/policies/company_policy.rb index aa512b2..c62369f 100644 --- a/app/policies/company_policy.rb +++ b/app/policies/company_policy.rb @@ -1,14 +1,23 @@ class CompanyPolicy < ApplicationPolicy - # NOTE: Up to Pundit v2.3.1, the inheritance was declared as - # `Scope < Scope` rather than `Scope < ApplicationPolicy::Scope`. - # In most cases the behavior will be identical, but if updating existing - # code, beware of possible changes to the ancestors: - # https://gist.github.com/Burgestrand/4b4bc22f31c8a95c425fc0e30d7ef1f5 + def create? + user.present? + end + + def index? + user.present? + end + + # record.user == user class Scope < ApplicationPolicy::Scope - # NOTE: Be explicit about which records you allow access to! - # def resolve - # scope.all - # end + def resolve + return scope.none unless user + + if admin? + scope.all + else + scope.where(user_id: user.id) + end + end end end diff --git a/db/schema.rb b/db/schema.rb index 11174c1..e9f0af7 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -10,9 +10,7 @@ # # It's strongly recommended that you check this file into your version control system. - ActiveRecord::Schema[7.1].define(version: 2024_12_07_034959) do - # These are extensions that must be enabled in order to support this database enable_extension "plpgsql" @@ -45,17 +43,6 @@ t.index ["user_id"], name: "index_contacts_on_user_id" end - - create_table "roles", force: :cascade do |t| - t.string "name" - t.string "resource_type" - t.bigint "resource_id" - t.datetime "created_at", null: false - t.datetime "updated_at", null: false - t.index ["name", "resource_type", "resource_id"], name: "index_roles_on_name_and_resource_type_and_resource_id" - t.index ["resource_type", "resource_id"], name: "index_roles_on_resource" - end - create_table "job_applications", force: :cascade do |t| t.string "position_title" t.date "date_applied" @@ -70,7 +57,16 @@ t.bigint "user_id", null: false t.index ["company_id"], name: "index_job_applications_on_company_id" t.index ["user_id"], name: "index_job_applications_on_user_id" + end + create_table "roles", force: :cascade do |t| + t.string "name" + t.string "resource_type" + t.bigint "resource_id" + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + t.index ["name", "resource_type", "resource_id"], name: "index_roles_on_name_and_resource_type_and_resource_id" + t.index ["resource_type", "resource_id"], name: "index_roles_on_resource" end create_table "users", force: :cascade do |t| @@ -92,7 +88,6 @@ add_foreign_key "companies", "users" add_foreign_key "contacts", "companies" add_foreign_key "contacts", "users" - add_foreign_key "job_applications", "companies" add_foreign_key "job_applications", "users" -end \ No newline at end of file +end diff --git a/spec/policies/company_policy_spec.rb b/spec/policies/company_policy_spec.rb index 23b05c6..bf6cfd9 100644 --- a/spec/policies/company_policy_spec.rb +++ b/spec/policies/company_policy_spec.rb @@ -1,27 +1,90 @@ require 'rails_helper' RSpec.describe CompanyPolicy, type: :policy do - let(:user) { User.new } - subject { described_class } - permissions ".scope" do - pending "add some examples to (or delete) #{__FILE__}" + let(:user) { User.create!(name: "user", email: "user@email.com", password: "123") } + let(:other_user) { User.create!(name: "other_user", email: "other_user@email.com", password: "234") } + let(:admin) { User.create!(name: "admin", email: "admin@email.com", password: "456") } + + let(:company) do + Company.create!( + name: "Test Company", + website: "https://testcompany.com", + street_address: "123 Main St", + city: "Testville", + state: "TS", + zip_code: "12345", + notes: "A test company", + user: user + ) + end + + let(:other_company) do + Company.create!( + name: "Other Company", + website: "https://othercompany.com", + street_address: "456 Elm St", + city: "Othertown", + state: "OT", + zip_code: "67890", + notes: "Another test company", + user: other_user + ) end - permissions :show? do - pending "add some examples to (or delete) #{__FILE__}" + before(:each) do + admin.set_role(:admin) end permissions :create? do - pending "add some examples to (or delete) #{__FILE__}" - end + it "allows any logged-in user to create a company" do + expect(subject).to permit(user, Company.new) + expect(subject).to permit(admin, Company.new) + end - permissions :update? do - pending "add some examples to (or delete) #{__FILE__}" + it "does not allow guests to create a company" do + expect(subject).not_to permit(nil, Company.new) + end end - permissions :destroy? do - pending "add some examples to (or delete) #{__FILE__}" + permissions ".scope" do + let(:scope) { Pundit.policy_scope!(current_user, Company) } + + context "when the user is an admin" do + let(:current_user) { admin } + + it "returns all companies" do + company + other_company + expect(scope).to match_array(Company.all) + end + end + + context "when the user is a regular user" do + let(:current_user) { user } + + it "returns only the user's companies" do + company + other_company + expect(scope).to match_array([company]) + end + + it "does not return other users' companies" do + company + other_company + expect(scope).not_to include(other_company) + end + end + + context "when no user is logged in" do + let(:current_user) { nil } + + it "returns an empty relation" do + company + other_company + expect(scope).to match_array([]) + end + end end end From 4c263c9c8d5a56b318ca3b4a3a003f64c00b0f14 Mon Sep 17 00:00:00 2001 From: Jim Macur Date: Thu, 12 Dec 2024 14:57:06 -0700 Subject: [PATCH 2/2] refactor: changes index? method in company policy to admin and user to access index Co-authored-by: Melchor De La Rosa --- app/policies/company_policy.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/app/policies/company_policy.rb b/app/policies/company_policy.rb index c62369f..b1aabbd 100644 --- a/app/policies/company_policy.rb +++ b/app/policies/company_policy.rb @@ -4,11 +4,9 @@ def create? end def index? - user.present? + admin? || user? end - # record.user == user - class Scope < ApplicationPolicy::Scope def resolve return scope.none unless user