Fix ordering of authorize before_action for admin resources

TrestleAdmin · Feb 1, 2022 · 697666c · 697666c
1 parent e4585ee
commit 697666c
Show file tree

Hide file tree

Showing 11 changed files with 118 additions and 27 deletions.
diff --git a/lib/trestle/auth/controller/authorization.rb b/lib/trestle/auth/controller/authorization.rb
@@ -6,6 +6,7 @@ module Authorization
 
         included do
           before_action :authorize, if: :authorize?
+
           helper_method :authorized?
           helper_method :authorizer_cache
 

diff --git a/lib/trestle/auth/extensions/resource_controller.rb b/lib/trestle/auth/extensions/resource_controller.rb
@@ -2,6 +2,14 @@ module Trestle
   module Auth
     module Extensions
       module ResourceController
+        extend ActiveSupport::Concern
+
+        included do
+          # Redefine the before_action so that it is not called
+          # until after the instance is initialized.
+          before_action :authorize, if: :authorize?
+        end
+
       protected
         def authorization_target
           instance || admin.model

diff --git a/spec/dummy/app/admin/cancancan_resource_admin.rb b/spec/dummy/app/admin/cancancan_resource_admin.rb
@@ -0,0 +1,3 @@
+Trestle.resource(:cancancan_resource, model: Administrator, register_model: false) do
+  authorize_with cancancan: Ability
+end
diff --git a/spec/dummy/app/admin/dsl_resource_admin.rb b/spec/dummy/app/admin/dsl_resource_admin.rb
@@ -0,0 +1,5 @@
+Trestle.resource(:dsl_resource, model: Administrator, register_model: false) do
+  authorize do
+    access! { |instance| instance == current_user }
+  end
+end
diff --git a/spec/dummy/app/admin/pundit_resource_admin.rb b/spec/dummy/app/admin/pundit_resource_admin.rb
@@ -0,0 +1,3 @@
+Trestle.resource(:pundit_resource, model: Administrator, register_model: false) do
+  authorize_with pundit: AdministratorPolicy
+end
diff --git a/spec/dummy/app/models/ability.rb b/spec/dummy/app/models/ability.rb
@@ -3,5 +3,6 @@ class Ability
 
   def initialize(user)
     can :read, CancancanAdmin if user.super?
+    can :manage, user
   end
 end
diff --git a/spec/dummy/app/policies/administrator_policy.rb b/spec/dummy/app/policies/administrator_policy.rb
@@ -0,0 +1,9 @@
+class AdministratorPolicy
+  def initialize(user, target)
+    @user, @target = user, target
+  end
+
+  def show?
+    @user == @target
+  end
+end
diff --git a/spec/feature/can_can_authorization_spec.rb b/spec/feature/can_can_authorization_spec.rb
@@ -14,18 +14,37 @@ def create_administrator(attrs={})
     Administrator.create!({ first_name: "Admin", last_name: "User", email: "[email protected]", password: "password" }.merge(attrs))
   end
 
-  scenario "prevent access to unauthorized users" do
-    login
-    visit "/admin/cancancan"
+  context "plain admin" do
+    scenario "prevent access to unauthorized users" do
+      login
+      visit "/admin/cancancan"
 
-    expect(page).to have_current_path("/admin")
-    expect(page).to have_content("You are not authorized to access this page.")
+      expect(page).to have_current_path("/admin")
+      expect(page).to have_content("You are not authorized to access this page.")
+    end
+
+    scenario "grant access to authorized users" do
+      login(email: "[email protected]")
+      visit "/admin/cancancan"
+
+      expect(page).to have_current_path("/admin/cancancan")
+    end
   end
 
-  scenario "grant access to authorized users" do
-    login(email: "[email protected]")
-    visit "/admin/cancancan"
+  context "resourceful admin" do
+    scenario "prevent access to unauthorized users" do
+      login_as(@regular_admin)
+      visit "/admin/cancancan_resource/#{@super_admin.id}"
+
+      expect(page).to have_current_path("/admin")
+      expect(page).to have_content("You are not authorized to access this page.")
+    end
+
+    scenario "grant access to authorized users" do
+      login_as(@regular_admin)
+      visit "/admin/cancancan_resource/#{@regular_admin.id}"
 
-    expect(page).to have_current_path("/admin/cancancan")
+      expect(page).to have_current_path("/admin/cancancan_resource/#{@regular_admin.id}")
+    end
   end
 end
diff --git a/spec/feature/dsl_authorization_spec.rb b/spec/feature/dsl_authorization_spec.rb
@@ -14,18 +14,37 @@ def create_administrator(attrs={})
     Administrator.create!({ first_name: "Admin", last_name: "User", email: "[email protected]", password: "password" }.merge(attrs))
   end
 
-  scenario "prevent access to unauthorized users" do
-    login
-    visit "/admin/dsl"
+  context "plain admin" do
+    scenario "prevent access to unauthorized users" do
+      login
+      visit "/admin/dsl"
 
-    expect(page).to have_current_path("/admin")
-    expect(page).to have_content("You are not authorized to access this page.")
+      expect(page).to have_current_path("/admin")
+      expect(page).to have_content("You are not authorized to access this page.")
+    end
+
+    scenario "grant access to authorized users" do
+      login(email: "[email protected]")
+      visit "/admin/dsl"
+
+      expect(page).to have_current_path("/admin/dsl")
+    end
   end
 
-  scenario "grant access to authorized users" do
-    login(email: "[email protected]")
-    visit "/admin/dsl"
+  context "resourceful admin" do
+    scenario "prevent access to unauthorized users" do
+      login_as(@regular_admin)
+      visit "/admin/dsl_resource/#{@super_admin.id}"
+
+      expect(page).to have_current_path("/admin")
+      expect(page).to have_content("You are not authorized to access this page.")
+    end
+
+    scenario "grant access to authorized users" do
+      login_as(@regular_admin)
+      visit "/admin/dsl_resource/#{@regular_admin.id}"
 
-    expect(page).to have_current_path("/admin/dsl")
+      expect(page).to have_current_path("/admin/dsl_resource/#{@regular_admin.id}")
+    end
   end
 end
diff --git a/spec/feature/pundit_authorization_spec.rb b/spec/feature/pundit_authorization_spec.rb
@@ -14,18 +14,37 @@ def create_administrator(attrs={})
     Administrator.create!({ first_name: "Admin", last_name: "User", email: "[email protected]", password: "password" }.merge(attrs))
   end
 
-  scenario "prevent access to unauthorized users" do
-    login
-    visit "/admin/pundit"
+  context "plain admin" do
+    scenario "prevent access to unauthorized users" do
+      login
+      visit "/admin/pundit"
 
-    expect(page).to have_current_path("/admin")
-    expect(page).to have_content("You are not authorized to access this page.")
+      expect(page).to have_current_path("/admin")
+      expect(page).to have_content("You are not authorized to access this page.")
+    end
+
+    scenario "grant access to authorized users" do
+      login(email: "[email protected]")
+      visit "/admin/pundit"
+
+      expect(page).to have_current_path("/admin/pundit")
+    end
   end
 
-  scenario "grant access to authorized users" do
-    login(email: "[email protected]")
-    visit "/admin/pundit"
+  context "resourceful admin" do
+    scenario "prevent access to unauthorized users" do
+      login_as(@regular_admin)
+      visit "/admin/pundit_resource/#{@super_admin.id}"
+
+      expect(page).to have_current_path("/admin")
+      expect(page).to have_content("You are not authorized to access this page.")
+    end
+
+    scenario "grant access to authorized users" do
+      login_as(@regular_admin)
+      visit "/admin/pundit_resource/#{@regular_admin.id}"
 
-    expect(page).to have_current_path("/admin/pundit")
+      expect(page).to have_current_path("/admin/pundit_resource/#{@regular_admin.id}")
+    end
   end
 end
diff --git a/spec/support/login_helpers.rb b/spec/support/login_helpers.rb
@@ -15,6 +15,10 @@ def login(email: "[email protected]", password: "password", remember_me: false)
         def logout
           click_link "Logout"
         end
+
+        def login_as(user)
+          login(email: user.email)
+        end
       end
     end
   end