From: Andy Allan Date: Thu, 1 Mar 2018 02:24:35 +0000 (+0800) Subject: Add cancancan and the first ability definitions for site_controller X-Git-Tag: live~2772^2~15^2~12 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/ffa65d4d725fc376037cd8390f30df45f85b6d8e?ds=sidebyside Add cancancan and the first ability definitions for site_controller --- diff --git a/Gemfile b/Gemfile index 78e2aac97..8b8eae0bb 100644 --- a/Gemfile +++ b/Gemfile @@ -54,6 +54,7 @@ gem "rails-i18n", "~> 4.0.0" gem "record_tag_helper" gem "rinku", ">= 1.2.2", :require => "rails_rinku" gem "validates_email_format_of", ">= 1.5.1" +gem "cancancan" # Native OSM extensions gem "quad_tile", "~> 1.0.1" diff --git a/Gemfile.lock b/Gemfile.lock index 417a7634a..06ddc0fe2 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -59,6 +59,7 @@ GEM binding_of_caller (0.8.0) debug_inspector (>= 0.0.1) builder (3.2.3) + cancancan (2.1.3) canonical-rails (0.2.3) rails (>= 4.1, < 5.3) capybara (2.18.0) @@ -369,6 +370,7 @@ DEPENDENCIES better_errors bigdecimal (~> 1.1.0) binding_of_caller + cancancan canonical-rails capybara (~> 2.13) coffee-rails (~> 4.2) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index db4ae9ad3..394b04d58 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,5 +1,6 @@ class ApplicationController < ActionController::Base include SessionPersistence + check_authorization protect_from_forgery :with => :exception @@ -467,6 +468,11 @@ class ApplicationController < ActionController::Base raise end + rescue_from CanCan::AccessDenied do |exception| + raise "Access denied on #{exception.action} #{exception.subject.inspect}" + # ... + end + private # extract authorisation credentials from headers, returns user = nil if none diff --git a/app/controllers/site_controller.rb b/app/controllers/site_controller.rb index 6cbe302d6..bfff50c6d 100644 --- a/app/controllers/site_controller.rb +++ b/app/controllers/site_controller.rb @@ -6,10 +6,11 @@ class SiteController < ApplicationController before_action :set_locale before_action :redirect_browse_params, :only => :index before_action :redirect_map_params, :only => [:index, :edit, :export] - before_action :require_user, :only => [:welcome] before_action :require_oauth, :only => [:index] before_action :update_totp, :only => [:index] + authorize_resource :class => false + def index session[:location] ||= OSM.ip_location(request.env["REMOTE_ADDR"]) unless STATUS == :database_readonly || STATUS == :database_offline end diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index 63fad8c83..d853d4822 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -1,6 +1,8 @@ class UserController < ApplicationController layout "site", :except => [:api_details] + skip_authorization_check :only => [:login, :logout] + skip_before_action :verify_authenticity_token, :only => [:api_read, :api_details, :api_gpx_files, :auth_success] before_action :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details] before_action :authorize, :only => [:api_details, :api_gpx_files] diff --git a/app/models/ability.rb b/app/models/ability.rb new file mode 100644 index 000000000..c712e3e82 --- /dev/null +++ b/app/models/ability.rb @@ -0,0 +1,37 @@ +class Ability + include CanCan::Ability + + def initialize(user) + can :index, :site + + if user + can :welcome, :site + end + # Define abilities for the passed in user here. For example: + # + # user ||= User.new # guest user (not logged in) + # if user.admin? + # can :manage, :all + # else + # can :read, :all + # end + # + # The first argument to `can` is the action you are giving the user + # permission to do. + # If you pass :manage it will apply to every action. Other common actions + # here are :read, :create, :update and :destroy. + # + # The second argument is the resource the user can perform the action on. + # If you pass :all it will apply to every resource. Otherwise pass a Ruby + # class of the resource. + # + # The third argument is an optional hash of conditions to further filter the + # objects. + # For example, here the user can only update published articles. + # + # can :update, Article, :published => true + # + # See the wiki for details: + # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities + end +end