Merge pull request #109 from Jess-White/feature/412-add-authorization

Feature/412 add authorization

Author: cainwatson

Gemfile

@@ -52,3 +52,5 @@ gem 'jb'
 gem 'rack-cors'
 
 gem 'ranked-model'
+
+gem 'pundit', '~> 2.2'

Gemfile.lock

@@ -159,6 +159,8 @@ GEM
     public_suffix (4.0.6)
     puma (4.3.12)
       nio4r (~> 2.0)
+    pundit (2.2.0)
+      activesupport (>= 3.0.0)
     racc (1.6.0)
     rack (2.2.4)
     rack-cors (1.1.1)
@@ -286,6 +288,7 @@ DEPENDENCIES
   jwt
   pg (>= 0.18, < 2.0)
   puma (~> 4.3.12)
+  pundit (~> 2.2)
   rack-cors
   rails (~> 6.0.2, >= 6.0.2.1)
   ranked-model

app/controllers/api/invitations_controller.rb

@@ -5,17 +5,20 @@ class InvitationsController < ApplicationController
     before_action :ensure_organization_exists, except: [:accept]
 
     def index
+      authorize @organization, policy_class: InvitationPolicy
       @invitations = @organization.pending_invitations
       render 'index.json.jb'
     end
 
     def create
+      authorize @organization, policy_class: InvitationPolicy
       invitation_issuer = InvitationIssuer.new(create_invitation_params, @organization)
       @invitation = invitation_issuer.call!
       render 'show.json.jb', status: :created
     end
 
     def accept
+      authorize Invitation, :accept?
       # TODO: Remove /organizations/:id/users#create
       invitation_accepter = InvitationAccepter.new(params[:token], accept_invitation_user_params)
       @invitation = invitation_accepter.call!
@@ -27,15 +30,17 @@ def accept
     end
 
     def reinvite
-      invitation_email = Invitation.find(params[:id]).email
-      invitation_issuer = InvitationIssuer.new({ email: invitation_email }, @organization)
+      invitation = Invitation.find(params[:id])
+      authorize invitation
+      invitation_issuer = InvitationIssuer.new({ email: invitation.email }, @organization)
       @invitation = invitation_issuer.call!
 
       render 'show.json.jb'
     end
 
     def destroy
       @invitation = Invitation.find(params[:id])
+      authorize @invitation
       @invitation.destroy!
 
       render 'show.json.jb'

app/controllers/api/organization_users_controller.rb

@@ -29,6 +29,7 @@ def show
 
     def destroy
       @organization_user = organization_user
+      authorize @organization_user
       @organization_user.destroy!
       render 'show.json.jb'
     end

app/controllers/application_controller.rb

@@ -1,9 +1,12 @@
 # frozen_string_literal: true
 
 class ApplicationController < ActionController::Base
+  include Pundit::Authorization
+
   rescue_from JWT::DecodeError, with: :handle_unauthorized
   rescue_from JWT::VerificationError, with: :handle_unauthorized
   rescue_from JWT::ExpiredSignature, with: :handle_unauthorized
+  rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized
   rescue_from ActiveRecord::RecordNotFound, with: :handle_unauthorized
   rescue_from ActiveRecord::RecordInvalid, with: :handle_record_invalid
 

app/policies/application_policy.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    true
+  end
+
+  def show?
+    true
+  end
+
+  def create?
+    true
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    true
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    true
+  end
+
+  class Scope
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      raise NotImplementedError, "You must define #resolve in #{self.class}"
+    end
+
+    private
+
+    attr_reader :user, :scope
+  end
+end

app/policies/invitation_policy.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class InvitationPolicy < ApplicationPolicy
+  # `record` is slightly different depending on which action we're authorizing
+  # * for index? and create?, record is an organization instance
+  # * for accept?, record is the symbol :accept?
+  # * for reinvite? and destroy?, record is an invitation instance
+
+  def index?
+    user.admin_of_organization?(record.id)
+  end
+
+  def create?
+    user.admin_of_organization?(record.id)
+  end
+
+  def accept?
+    true
+  end
+
+  def reinvite?
+    user.admin_of_organization?(record.organization.id)
+  end
+
+  def destroy?
+    user.admin_of_organization?(record.organization.id)
+  end
+end

app/policies/organization_user_policy.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class OrganizationUserPolicy < ApplicationPolicy
+  def destroy?
+    user.admin_of_organization?(record.organization.id)
+  end
+end

spec/controllers/api/invitations_controller_spec.rb

@@ -7,14 +7,38 @@
     id created_at updated_at first_name last_name email expires_at
   ]
 
-  let(:organization) { create(:organization) }
+  let(:chidi) do
+    create(:user, first_name: 'Chidi', last_name: 'Anagonye')
+  end
+  let(:shawn) do
+    create(:user, first_name: 'Shawn')
+  end
+  let(:organization) { create(:organization, users: [chidi]) }
 
   describe 'GET /organization/:organization_id/invitations' do
     let!(:invitations) do
       create_list(:invitation, 2, organization_id: organization.id)
     end
 
+    before do
+      allow_any_instance_of(InvitationPolicy).to receive(:index?).and_return(true)
+    end
+
+    context 'when invitation policy fails' do
+      before do
+        allow_any_instance_of(InvitationPolicy).to receive(:index?).and_return(false)
+      end
+
+      it 'renders 401' do
+        set_auth_header(chidi)
+        get :index, params: { organization_id: organization.id }
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
     it 'renders 200 with organization invitations' do
+      set_auth_header(chidi)
       get :index, params: { organization_id: organization.id }
 
       expect(response).to have_http_status(200)
@@ -49,6 +73,23 @@
       }
     end
 
+    before do
+      allow_any_instance_of(InvitationPolicy).to receive(:create?).and_return(true)
+    end
+
+    context 'when invitation policy fails' do
+      before do
+        allow_any_instance_of(InvitationPolicy).to receive(:create?).and_return(false)
+      end
+
+      it 'renders 401' do
+        set_auth_header(chidi)
+        post :create, params: invitation_params
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
     it 'render 422 with invalid or missing params' do
       post :create, params: {
         organization_id: organization.id,
@@ -87,6 +128,26 @@
   describe 'POST /invitations/:token/accept' do
     let!(:invitation) { create(:invitation, organization: organization) }
 
+    before do
+      allow_any_instance_of(InvitationPolicy).to receive(:accept?).and_return(true)
+    end
+
+    context 'when invitation policy fails' do
+      before do
+        allow_any_instance_of(InvitationPolicy).to receive(:accept?).and_return(false)
+      end
+
+      it 'renders 401' do
+        set_auth_header(chidi)
+        post :accept, params: {
+          token: invitation.token,
+          password: 'password'
+        }
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
     context 'when token has expired' do
       before do
         invitation.update!(expires_at: Date.yesterday)
@@ -163,6 +224,26 @@
   describe 'PATCH /organization/:organization_id/invitations/:id/reinvite' do
     let!(:invitation) { create(:invitation, organization: organization, expires_at: Date.current) }
 
+    before do
+      allow_any_instance_of(InvitationPolicy).to receive(:reinvite?).and_return(true)
+    end
+
+    context 'when invitation policy fails' do
+      before do
+        allow_any_instance_of(InvitationPolicy).to receive(:reinvite?).and_return(false)
+      end
+
+      it 'renders 401' do
+        set_auth_header(chidi)
+        post :reinvite, params: {
+          organization_id: invitation.organization.id,
+          id: invitation.id
+        }
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
     context 'when organization does not exist' do
       it 'renders 401' do
         post :reinvite, params: {
@@ -207,8 +288,28 @@
   end
 
   describe 'DELETE /organization/:organization_id/invitations/:id' do
+    before do
+      allow_any_instance_of(InvitationPolicy).to receive(:destroy?).and_return(true)
+    end
+
     let(:invitation) { create(:invitation, organization: organization) }
 
+    context 'when invitation policy fails' do
+      before do
+        allow_any_instance_of(InvitationPolicy).to receive(:destroy?).and_return(false)
+      end
+
+      it 'renders 401' do
+        set_auth_header(chidi)
+        delete :destroy, params: {
+          organization_id: organization.id,
+          id: invitation.id
+        }
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
     context 'when organization does not exist' do
       it 'renders 401' do
         delete :destroy, params: {

spec/controllers/api/organization_users_controller_spec.rb

@@ -207,6 +207,23 @@
   end
 
   describe 'DELETE /organizations/:organization_id/users/:id' do
+    before do
+      allow_any_instance_of(OrganizationUserPolicy).to receive(:destroy?).and_return(true)
+    end
+
+    context 'when organization user policy fails' do
+      before do
+        allow_any_instance_of(OrganizationUserPolicy).to receive(:destroy?).and_return(false)
+      end
+
+      it 'renders 401' do
+        set_auth_header(chidi)
+        delete :destroy, params: { organization_id: good_place.id, id: chidi.id }
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
     it 'renders 401 if organization does not exist' do
       set_auth_header(chidi)
       delete :destroy, params: { organization_id: 123, id: chidi.id }