Karavel/fixin.me
0
0
Fork 0
forked from fixin.me/fixin.me
Code Pull Requests Activity

Add access control and :forbidden error handling

Browse Source
This commit is contained in:
cryptogopher 2023-04-24 23:08:55 +02:00
parent 461f0bb812
commit 634ba7e901
5 changed files with 41 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/application_controller.rb
View File

@ -1,6 +1,15 @@
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
helper_method :current_user_at_least
before_action :authenticate_user! before_action :authenticate_user!
class AccessForbidden < StandardError
end
def current_user_at_least(status)
User.statuses[current_user.status] >= User.statuses[status]
end
protected protected
def after_sign_out_path_for(scope) def after_sign_out_path_for(scope)

8
app/controllers/users_controller.rb
View File

@ -1,7 +1,9 @@
class UsersController < ApplicationController class UsersController < ApplicationController
before_action :set_user, only: %i[ show edit update destroy ] before_action :find_user, only: [:show, :edit, :update, :destroy]
before_action do
raise AccessForbidden unless (current_user == @user) || current_user_at_least(:admin)
end
# GET /users
def index def index
@users = User.all @users = User.all
end end
@ -47,7 +49,7 @@ class UsersController < ApplicationController
private private
# Use callbacks to share common setup or constraints between actions. # Use callbacks to share common setup or constraints between actions.
def set_user def find_user
@user = User.find(params[:id]) @user = User.find(params[:id])
end end

5
app/views/layouts/application.html.erb
View File

@ -34,7 +34,10 @@
<div class="nav-menu"> <div class="nav-menu">
<% if user_signed_in? %> <% if user_signed_in? %>
<div class="right"> <div class="right">
<%= image_link_to t('.users'), "account-multiple-outline", users_path, current: :active %> <% if current_user_at_least(:admin) %>
<%= image_link_to t('.users'), "account-multiple-outline", users_path,
current: :active %>
<% end %>
</div> </div>
<% end %> <% end %>
</div> </div>

4
app/views/users/index.html.erb
View File

@ -1,3 +1,4 @@
<% if current_user_at_least(:admin) %>
<table class="items" id="users"> <table class="items" id="users">
<tr> <tr>
<th><%= User.human_attribute_name(:email).capitalize %></th> <th><%= User.human_attribute_name(:email).capitalize %></th>
@ -12,10 +13,11 @@
<td><%= user.status %></td> <td><%= user.status %></td>
<td><%= user.created_at.to_fs(:db_without_sec) %></td> <td><%= user.created_at.to_fs(:db_without_sec) %></td>
<td class="svg"> <td class="svg">
<%= svg_tag "pictograms/checkbox-marked-outline.svg#icon" if user.confirmed_at.present? %> <%= svg_tag "pictograms/checkbox-marked-outline" if user.confirmed_at.present? %>
</td> </td>
<td class="actions"><%= image_link_to "Delete", "account-remove-outline", user_path(user), <td class="actions"><%= image_link_to "Delete", "account-remove-outline", user_path(user),
data: { turbo: true, turbo_method: :delete } %></td> data: { turbo: true, turbo_method: :delete } %></td>
</tr> </tr>
<% end %> <% end %>
</table> </table>
<% end %>

2
config/application.rb.dist
View File

@ -31,6 +31,8 @@ module FixinMe
# config.time_zone = "Central Time (US & Canada)" # config.time_zone = "Central Time (US & Canada)"
# config.eager_load_paths << Rails.root.join("extras") # config.eager_load_paths << Rails.root.join("extras")
config.action_dispatch.rescue_responses['ApplicationController::AccessForbidden'] = :forbidden
# SETUP: Below settings need to be updated on a per-installation basis. # SETUP: Below settings need to be updated on a per-installation basis.
# #
# URL to use in sent e-mails. # URL to use in sent e-mails.