Added acces rules for jobs, operator/jobs and admin/dashboard view, including lazy loading for cancel button in broadcasts

app/controllers/admin/dashboards_controller.rb

@@ -1,4 +1,9 @@
 class Admin::DashboardsController < ApplicationController
+  before_action :authorize!
   def show
   end
+
+  def authorize!
+    super with: Admin::DashboardPolicy
+  end
 end

app/controllers/application_controller.rb

@@ -2,6 +2,8 @@ class ApplicationController < ActionController::Base
   before_action :set_current_request_details
   before_action :authenticate_user!
 
+  verify_authorized
+
   private
     def current_user
       Current.user || authenticate_user_from_session

app/controllers/jobs_controller.rb

@@ -1,8 +1,11 @@
 class JobsController < ApplicationController
-  skip_before_action :authenticate_user!, only: :index
+  skip_before_action :authenticate_user!, only: [ :index, :cancel_button ]
+  skip_verify_authorized only: [ :index, :new, :create, :cancel_button ]
+
   # GET /jobs or /jobs.json
   def index
     @jobs = Job.currently_working_on
+    @no_turbo_stream = true
   end
 
   # GET /jobs/new
@@ -28,6 +31,7 @@ class JobsController < ApplicationController
 
   def cancel
     @job = Job.find(params[:id])
+    authorize! @job
     if @job.canceled!
       flash[:notice] = "Job successfully canceled"
       @status_changed = true
@@ -42,6 +46,12 @@ class JobsController < ApplicationController
     end
   end
 
+  def cancel_button
+    @job = Job.find(params[:id])
+
+    render partial: "jobs/cancel_button", locals: { job: @job }
+  end
+
   private
 
   def broadcast_update_status_cards_and_start_next_job_button

app/controllers/operator/jobs_controller.rb

@@ -1,6 +1,7 @@
 class Operator::JobsController < ApplicationController
   before_action :set_job, only: %i[show edit update destroy increment_page decrement_page]
   before_action :set_job_lists, only: %i[index]
+  before_action :authorize!
 
   # GET /jobs or /jobs.json
   def index
@@ -133,7 +134,7 @@ class Operator::JobsController < ApplicationController
   end
 
   def broadcast_update_job
-    Turbo::StreamsChannel.broadcast_replace_later_to "jobs", target: @job, partial: "jobs/job_tr", locals: { job: @job }
+    Turbo::StreamsChannel.broadcast_replace_later_to "jobs", target: @job, partial: "jobs/job_tr", locals: { job: @job  }
     if @status_changed
       Turbo::StreamsChannel.broadcast_remove_to "operator_jobs", target: @job
       broadcast_update_status_cards_and_start_next_job_button

app/controllers/passwords_controller.rb

@@ -1,4 +1,5 @@
 class PasswordsController < ApplicationController
+  skip_verify_authorized only: [ :edit, :update ]
   before_action :set_user
 
   def edit

app/controllers/profiles_controller.rb

@@ -1,4 +1,6 @@
 class ProfilesController < ApplicationController
+  skip_verify_authorized only: [ :show, :edit, :destroy ]
+
   def show
   end
 

app/controllers/sessions_controller.rb

@@ -1,5 +1,6 @@
 class SessionsController < ApplicationController
   skip_before_action :authenticate_user!, only: %i[ new create ]
+  skip_verify_authorized only: [ :index, :new, :create, :destroy ]
 
   before_action :set_session, only: :destroy
 

app/policies/admin/dashboard_policy.rb

@@ -0,0 +1,4 @@
+class Admin::DashboardPolicy < ApplicationPolicy
+  def show
+  end
+end

app/policies/application_policy.rb

@@ -1,5 +1,12 @@
 # Base class for application policies
 class ApplicationPolicy < ActionPolicy::Base
+  pre_check :allow_admins
+
+  # admin is good! :)
+  def allow_admins
+    allow! if user.admin?
+  end
+
   # Configure additional authorization contexts here
   # (`user` is added by default).
   #
@@ -7,6 +14,7 @@ class ApplicationPolicy < ActionPolicy::Base
   #
   # Read more about authorization context: https://actionpolicy.evilmartians.io/#/authorization_context
 
+
   private
 
   # Define shared methods useful for most policies.

app/policies/job_policy.rb

@@ -1,9 +1,12 @@
 class JobPolicy < ApplicationPolicy
+  skip_pre_check :allow_admins, only: :cancel?
+
+  def cancel?
+    record.open? && (user == record.costumer || user.operator? || user.admin?)
+  end
+
   # See https://actionpolicy.evilmartians.io/#/writing_policies
   #
-  # def index?
-  #   true
-  # end
   #
   # def update?
   #   # here we can access our context and record

app/policies/operator/job_policy.rb

@@ -0,0 +1,21 @@
+class Operator::JobPolicy < ApplicationPolicy
+  pre_check :allow_operators
+
+  def index?
+  end
+
+  def update?
+  end
+
+  def increment_page?
+  end
+
+  def decrement_page?
+  end
+
+  private
+
+  def allow_operators
+    allow! if user.operator?
+  end
+end

app/policies/session_policy.rb

@@ -0,0 +1,5 @@
+class SessionPolicy < ApplicationPolicy
+  def new?
+    true
+  end
+end

app/views/jobs/_cancel_button.html.erb

@@ -0,0 +1,28 @@
+<%= turbo_frame_tag dom_id(job, :cancel_button) do %>
+  <%# TODO: Refactor! %>
+  <% if current_user %>
+    <% if allowed_to? :cancel?, job %>
+      <%= button_to icon("x-circle", class: "icon size-10 text-hsrm-red", title: "Druckauftrag abbrechen (Anmeldung erforderlich)"), cancel_job_path(job), method: :patch, form: {data: {turbo_confirm: 'Den Plottauftrag wirklich abbrechen?'}}, form_class: "inline" %>
+    <% else %>
+      <% if job.open? %>
+        <% if job.created_by_operator %>
+          <%= icon("x-circle", class: "icon icon-disabled size-10", title: "Druckauftrag kann nur vom Operator abgebrochen werden!") %>
+        <% else %>
+          <%= icon("x-circle", class: "icon icon-disabled size-10", title: "Sie sind nicht berechtigt diesen Druckauftrag abzubrechen") %>
+        <% end %>
+      <% else %>
+        <%= icon("x-circle", class: "icon icon-disabled size-10", title: "Kann nicht mehr abgebrochen werden") %>
+      <% end %>
+    <% end %>
+  <% else %>
+    <% if job.open? %>
+      <% if job.created_by_operator %>
+        <%= icon("x-circle", class: "icon icon-disabled size-10", title: "Druckauftrag kann nur vom Operator abgebrochen werden!") %>
+      <% else %>
+        <%= button_to icon("x-circle", class: "icon size-10 text-hsrm-red", title: "Druckauftrag abbrechen (Anmeldung erforderlich)"), cancel_job_path(job), method: :patch, form: {data: {turbo_confirm: 'Den Plottauftrag wirklich abbrechen? (Anmeldung erforderlich!)'}}, form_class: "inline" %>
+      <% end %>
+    <% else %>
+      <%= icon("x-circle", class: "icon icon-disabled size-10", title: "Kann nicht mehr abgebrochen werden") %>
+    <% end %>
+  <% end %>
+<% end %>

app/views/jobs/_job_tr.html.erb

@@ -54,10 +54,15 @@
     </span>
   </td>
   <td class="p-2 py-3 text-right">
-    <% if job.open? %>
-      <%= button_to icon("x-circle", class: "icon size-10 text-hsrm-red", title: "Abbrechen"), cancel_job_path(job), method: :patch, form: {data: {turbo_confirm: 'Den Plottauftrag wirklich abbrechen?'}}, form_class: "inline" %>
+    <% # TODO: Refactor to helper function %>
+    <% if defined?(no_turbo_stream) && no_turbo_stream %>
+      <%= turbo_frame_tag dom_id(job, :cancel_button) do %>
+        <%= render partial: "jobs/cancel_button", locals: { job: job } %>
+      <% end %>
     <% else %>
-      <%= icon("x-circle", class: "icon icon-disabled size-10", title: "Kann nicht mehr abgebrochen werden") %>
+      <%= turbo_frame_tag dom_id(job, :cancel_button), src: cancel_button_job_path(job), loading: 'lazy' do %>
+        <%= icon("ellipsis-horizontal-circle", class: "icon icon-disabled size-10", title: "Loading...") %>
+      <% end %>
     <% end %>
   </td>
 </tr>

app/views/jobs/index.html.erb

@@ -1,6 +1,5 @@
 <%= turbo_stream_from 'jobs' %>
 <div class="w-full">
-  <%#= render partial: 'layouts/flash' %>
   <% content_for :title, "Current Print Jobs" %>
   <div class="flex items-center justify-between py-4">
     <h1 class="text-4xl font-bold text-hsrm-gray">Aktuelle Druckaufträge <span class="text-sm font-semibold"><%= Date.today.strftime("%d.%m.%Y") %></span></h1>
@@ -25,8 +24,7 @@
         </tr>
       </thead>
       <tbody id='jobs' class="divide-y divivde-gray-300">
-        <%= render partial: "job_tr", collection: @jobs, as: :job %>
-        <%#= link_to "Show this job", job, class: "ml-2 rounded-lg py-3 px-5 bg-gray-100 inline-block font-medium" %>
+        <%= render partial: "job_tr", collection: @jobs, as: :job, locals: { no_turbo_stream: @no_turbo_stream } %>
       </tbody>
     </table>
   </div>

config/routes.rb

@@ -13,6 +13,7 @@ Rails.application.routes.draw do
   resources :jobs, only: [ :index, :new, :create ] do
     member do
       patch "cancel"
+      get "cancel_button"
     end
   end
   resource :profile, only: [ :show, :edit, :destroy ]

test/policies/admin/dashboard_policy_test.rb

@@ -0,0 +1,13 @@
+require "test_helper"
+
+# See https://actionpolicy.evilmartians.io/#/testing?id=testing-policies
+class Admin::DashboardPolicyTest < ActiveSupport::TestCase
+  def test_index
+  end
+
+  def test_create
+  end
+
+  def test_manage
+  end
+end

test/policies/operator/job_policy_test.rb

@@ -0,0 +1,13 @@
+require "test_helper"
+
+# See https://actionpolicy.evilmartians.io/#/testing?id=testing-policies
+class Operator::JobPolicyTest < ActiveSupport::TestCase
+  def test_index
+  end
+
+  def test_create
+  end
+
+  def test_manage
+  end
+end

test/policies/session_policy_test.rb

@@ -0,0 +1,13 @@
+require "test_helper"
+
+# See https://actionpolicy.evilmartians.io/#/testing?id=testing-policies
+class SessionPolicyTest < ActiveSupport::TestCase
+  def test_index
+  end
+
+  def test_create
+  end
+
+  def test_manage
+  end
+end