Add an authorization framework

This will help to support future requests like #98
sul-dlss · Mar 4, 2020 · 2845ef4 · 2845ef4
1 parent 4d1a274
commit 2845ef4
Show file tree

Hide file tree

Showing 10 changed files with 53 additions and 1 deletion.
diff --git a/Gemfile b/Gemfile
@@ -18,6 +18,7 @@ gem 'pg'
 # Reduces boot times through caching; required in config/boot.rb
 gem 'bootsnap', '>= 1.4.2', require: false
 
+gem 'action_policy'
 gem 'assembly-objectfile', '~> 1.9'
 gem 'cocina-models'
 gem 'committee'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,6 +1,7 @@
 GEM
   remote: https://rubygems.org/
   specs:
+    action_policy (0.4.3)
     actioncable (6.0.2.1)
       actionpack (= 6.0.2.1)
       nio4r (~> 2.0)
@@ -370,6 +371,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  action_policy
   assembly-objectfile (~> 1.9)
   bcrypt (~> 3.1.7)
   bootsnap (>= 1.4.2)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -2,4 +2,6 @@
 
 class ApplicationController < ActionController::API
   include RequestAuthorization
+  include ActionPolicy::Controller
+  authorize :user, through: :current_user
 end
diff --git a/app/controllers/authentication_controller.rb b/app/controllers/authentication_controller.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: true
+  # frozen_string_literal: true
 
 class AuthenticationController < ApplicationController
   before_action :authorize_request, except: :login

diff --git a/app/controllers/resources_controller.rb b/app/controllers/resources_controller.rb
@@ -9,6 +9,7 @@ class ResourcesController < ApplicationController
   # rubocop:disable Metrics/AbcSize
   # rubocop:disable Metrics/MethodLength
   def create
+    authorize! :resource
     begin
       response_cocina_obj = Dor::Services::Client.objects.register(params: cocina_model)
     rescue Dor::Services::Client::UnexpectedResponse => e

diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
@@ -0,0 +1,18 @@
+# Base class for application policies
+class ApplicationPolicy < ActionPolicy::Base
+  # Configure additional authorization contexts here
+  # (`user` is added by default).
+  #
+  #   authorize :account, optional: true
+  #
+  # Read more about authoriztion context: https://actionpolicy.evilmartians.io/#/authorization_context
+
+  private
+
+  # Define shared methods useful for most policies.
+  # For example:
+  #
+  #  def owner?
+  #    record.user_id == user.id
+  #  end
+end
diff --git a/app/policies/resource_policy.rb b/app/policies/resource_policy.rb
@@ -0,0 +1,9 @@
+# A policy to govern access to resources
+class ResourcePolicy < ApplicationPolicy
+  # See https://actionpolicy.evilmartians.io/#/writing_policies
+
+  # Any use with an account can create resources
+  def create?
+    true
+  end
+end
diff --git a/spec/factories/users.rb b/spec/factories/users.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :user
+end
diff --git a/spec/policies/resource_policy_spec.rb b/spec/policies/resource_policy_spec.rb
@@ -0,0 +1,13 @@
+require "rails_helper"
+
+RSpec.describe ResourcePolicy, type: :policy do
+  # See https://actionpolicy.evilmartians.io/#/testing?id=rspec-dsl
+  #
+  let(:user) { build_stubbed :user }
+  # let(:record) { build_stubbed :post, draft: false }
+  let(:context) { { user: user } }
+
+  describe_rule :create? do
+    succeed "when the user exists"
+  end
+end
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -15,6 +15,7 @@
 require 'rspec/rails'
 require 'webmock/rspec'
 require 'equivalent-xml'
+require "action_policy/rspec/dsl"
 
 # Add additional requires below this line. Rails is not loaded until this point!