Skip to content

Commit

Permalink
Section 8.8: Restrict actions in TicketsController based on permissio…
Browse files Browse the repository at this point in the history 
…ns and hide links
  • Loading branch information
Ryan Bigg committed Dec 10, 2014
1 parent 3512c40 commit 0a42901
Show file tree
Hide file tree
Showing 5 changed files with 86 additions and 9 deletions.
4 changes: 4 additions & 0 deletions ticketee/app/helpers/application_helper.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,8 @@ def title(*parts)
def admins_only(&block)
block.call if current_user.try(:admin?)
end

def authorized?(permission, thing, &block)
block.call if policy(thing).send("#{permission}?")
end
end
1 change: 1 addition & 0 deletions ticketee/app/policies/project_policy.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ def initialize(user, project)
end

def write?
user.admin? ||
user.permissions.exists?(thing: project, action: :write)
end
end
6 changes: 3 additions & 3 deletions ticketee/app/views/projects/show.html.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@
class: "delete" %>
<% end %>

<%= link_to "New Ticket",
new_project_ticket_path(@project),
class: "new" %>
<% authorized?(:write, @project) do %>
<%= link_to "New Ticket", new_project_ticket_path(@project) %>
<% end %>

<div class='row'>
<ul id='tickets'>
Expand Down
14 changes: 8 additions & 6 deletions ticketee/app/views/tickets/show.html.erb
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
<div id='ticket'>
<h2><%= @ticket.title %></h2>
<%= link_to "Edit Ticket",
[:edit, @project, @ticket],
class: "edit" %>
<%= link_to "Delete Ticket", [@project, @ticket], method: :delete,
data: { confirm: "Are you sure you want to delete this ticket?"},
class: "delete" %>
<%= authorized?("write", @project) do %>
<%= link_to "Edit Ticket",
[:edit, @project, @ticket],
class: "edit" %>
<%= link_to "Delete Ticket", [@project, @ticket], method: :delete,
data: { confirm: "Are you sure you want to delete this ticket?"},
class: "delete" %>
<% end %>
<div id='author'>
Created by <%= @ticket.author.email %>
</div>
Expand Down
70 changes: 70 additions & 0 deletions ticketee/spec/features/hidden_links_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@
let(:user) { FactoryGirl.create(:user) }
let(:admin) { FactoryGirl.create(:user, :admin) }
let(:project) { FactoryGirl.create(:project) }
let(:ticket) do
FactoryGirl.create(:ticket, project: project,
author: user)
end

context "anonymous users" do
scenario "cannot see the New Project link" do
Expand Down Expand Up @@ -38,6 +42,53 @@
visit project_path(project)
assert_no_link_for "Delete Project"
end

scenario "New ticket link is shown to a user with permission" do
define_permission!(user, "read", project)
define_permission!(user, "write", project)
visit project_path(project)
assert_link_for "New Ticket"
end

scenario "New ticket link is hidden from a user without permission" do
define_permission!(user, "read", project)
visit project_path(project)
assert_no_link_for "New Ticket"
end

scenario "Edit ticket link is shown to a user with permission" do
ticket
define_permission!(user, "read", project)
define_permission!(user, "write", project)
visit project_path(project)
click_link ticket.title
assert_link_for "Edit Ticket"
end

scenario "Edit ticket link is hidden from a user without permission" do
ticket
define_permission!(user, "read", project)
visit project_path(project)
click_link ticket.title
assert_no_link_for "Edit Ticket"
end

scenario "Delete ticket link is shown to a user with permission" do
ticket
define_permission!(user, "read", project)
define_permission!(user, "write", project)
visit project_path(project)
click_link ticket.title
assert_link_for "Delete Ticket"
end

scenario "Delete ticket link is hidden from users without permission" do
ticket
define_permission!(user, "read", project)
visit project_path(project)
click_link ticket.title
assert_no_link_for "Delete Ticket"
end
end

context "admin users" do
Expand All @@ -56,5 +107,24 @@
visit project_path(project)
assert_link_for "Delete Project"
end

scenario "New ticket link is shown to admins" do
visit project_path(project)
assert_link_for "New Ticket"
end

scenario "Edit ticket link is shown to admins" do
ticket
visit project_path(project)
click_link ticket.title
assert_link_for "Edit Ticket"
end

scenario "Delete ticket link is shown to admins" do
ticket
visit project_path(project)
click_link ticket.title
assert_link_for "Delete Ticket"
end
end
end

0 comments on commit 0a42901

Please sign in to comment.