Added acces rules for jobs, operator/jobs and admin/dashboard view, including lazy loading for cancel button in broadcasts

2024-09-13 14:27:50 +02:00
parent 64289d045d
commit 418b41556e
19 changed files with 145 additions and 11 deletions
--- a/app/controllers/admin/dashboards_controller.rb
+++ b/app/controllers/admin/dashboards_controller.rb
@@ -1,4 +1,9 @@
 class Admin::DashboardsController < ApplicationController
+  before_action :authorize!
  def show
  end
+
+  def authorize!
+    super with: Admin::DashboardPolicy
+  end
 end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,6 +2,8 @@ class ApplicationController < ActionController::Base
  before_action :set_current_request_details
  before_action :authenticate_user!

+  verify_authorized
+
  private
    def current_user
      Current.user || authenticate_user_from_session
--- a/app/controllers/jobs_controller.rb
+++ b/app/controllers/jobs_controller.rb
@@ -1,8 +1,11 @@
 class JobsController < ApplicationController
-  skip_before_action :authenticate_user!, only: :index
+  skip_before_action :authenticate_user!, only: [ :index, :cancel_button ]
+  skip_verify_authorized only: [ :index, :new, :create, :cancel_button ]
+
  # GET /jobs or /jobs.json
  def index
    @jobs = Job.currently_working_on
+    @no_turbo_stream = true
  end

  # GET /jobs/new
@@ -28,6 +31,7 @@ class JobsController < ApplicationController

  def cancel
    @job = Job.find(params[:id])
+    authorize! @job
    if @job.canceled!
      flash[:notice] = "Job successfully canceled"
      @status_changed = true
@@ -42,6 +46,12 @@ class JobsController < ApplicationController
    end
  end

+  def cancel_button
+    @job = Job.find(params[:id])
+
+    render partial: "jobs/cancel_button", locals: { job: @job }
+  end
+
  private

  def broadcast_update_status_cards_and_start_next_job_button
--- a/app/controllers/operator/jobs_controller.rb
+++ b/app/controllers/operator/jobs_controller.rb
@@ -1,6 +1,7 @@
 class Operator::JobsController < ApplicationController
  before_action :set_job, only: %i[show edit update destroy increment_page decrement_page]
  before_action :set_job_lists, only: %i[index]
+  before_action :authorize!

  # GET /jobs or /jobs.json
  def index
@@ -133,7 +134,7 @@ class Operator::JobsController < ApplicationController
  end

  def broadcast_update_job
-    Turbo::StreamsChannel.broadcast_replace_later_to "jobs", target: @job, partial: "jobs/job_tr", locals: { job: @job }
+    Turbo::StreamsChannel.broadcast_replace_later_to "jobs", target: @job, partial: "jobs/job_tr", locals: { job: @job  }
    if @status_changed
      Turbo::StreamsChannel.broadcast_remove_to "operator_jobs", target: @job
      broadcast_update_status_cards_and_start_next_job_button
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -1,4 +1,5 @@
 class PasswordsController < ApplicationController
+  skip_verify_authorized only: [ :edit, :update ]
  before_action :set_user

  def edit
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -1,4 +1,6 @@
 class ProfilesController < ApplicationController
+  skip_verify_authorized only: [ :show, :edit, :destroy ]
+
  def show
  end

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,5 +1,6 @@
 class SessionsController < ApplicationController
  skip_before_action :authenticate_user!, only: %i[ new create ]
+  skip_verify_authorized only: [ :index, :new, :create, :destroy ]

  before_action :set_session, only: :destroy