#465: updated RepositoryPolicy

app/controllers/advisories_controller.rb

@@ -1,11 +1,10 @@
 class AdvisoriesController < ApplicationController
   before_action :authenticate_user!
   skip_before_action :authenticate_user! if APP_CONFIG['anonymous_access']
-  load_resource find_by: :advisory_id
-  authorize_resource
 
   def index
-    @advisories = @advisories.includes(:platforms).search(params[:q]).uniq
+    authorize :advisories
+    @advisories = Advisory.includes(:platforms).search(params[:q]).uniq
     @advisories_count = @advisories.count
     @advisories = @advisories.paginate(page: current_page, per_page: Advisory.per_page)
     respond_to do |format|
@@ -16,10 +15,12 @@ class AdvisoriesController < ApplicationController
   end
 
   def show
+    authorize @advisory = Advisory.find_by(advisory_id: params[:id])
     @packages_info = @advisory.fetch_packages_info
   end
 
   def search
+    authorize :advisories, :index?
     @advisory = Advisory.by_update_type(params[:bl_type]).search_by_id(params[:query]).first
     if @advisory.nil?
       render nothing: true, status: 404

app/controllers/platforms/base_controller.rb

@@ -1,2 +1,11 @@
 class Platforms::BaseController < ApplicationController
+  before_action :load_platform
+
+protected
+
+  def load_platform
+    return unless params[:platform_id]
+    authorize @platform = Platform.find_cached(params[:platform_id]), :show?
+  end
+
 end

app/controllers/platforms/platforms_controller.rb

@@ -3,7 +3,6 @@ class Platforms::PlatformsController < Platforms::BaseController
 
   before_action :authenticate_user!
   skip_before_action :authenticate_user!, only: [:advisories, :members, :show] if APP_CONFIG['anonymous_access']
-  # load_and_authorize_resource
 
   def index
     respond_to do |format|

app/controllers/platforms/repositories_controller.rb

@@ -7,11 +7,14 @@ class Platforms::RepositoriesController < Platforms::BaseController
   before_action :authenticate_user!
   skip_before_action :authenticate_user!, only: [:index, :show, :projects_list] if APP_CONFIG['anonymous_access']
 
-  load_and_authorize_resource :platform
-  load_and_authorize_resource :repository, through: :platform, shallow: true
+  # load_and_authorize_resource :platform
+  # load_and_authorize_resource :repository, through: :platform, shallow: true
   before_action :set_members, only: [:edit, :update]
+  before_action :load_repository
+  before_action -> { @repository = @platform.repositories.find(params[:id]) if params[:id] }
 
   def index
+    @repositories = @platform.repositories
     @repositories = Repository.custom_sort(@repositories).paginate(page: current_page)
   end
 
@@ -168,7 +171,11 @@ class Platforms::RepositoriesController < Platforms::BaseController
     redirect_to edit_platform_repository_path(@platform, @repository)
   end
 
-  protected
+protected
+
+  def load_repository
+    @repository = @platform.repositories.find(params[:id]) if params[:id]
+  end
 
   def set_members
     @members = @repository.members.order('name')

app/policies/repository_policy.rb

@@ -0,0 +1,35 @@
+class RepositoryPolicy < ApplicationPolicy
+
+  def update?
+    local_admin?(record.platform)
+  end
+
+  def reader?
+    local_reader?(record.platform)
+  end
+
+  def write?
+    local_writer?(record.platform)
+  end
+
+  def update?
+    local_admin?(record.platform)
+  end
+  alias_method :manage_members?, :update?
+  alias_method :remove_members?, :update?
+  alias_method :add_member?, :update?
+
+  def add_project?
+    local_admin?(record.platform) || is_member_of_repository?
+  end
+  alias_method :remove_project?, :add_project?
+
+private
+
+  def is_member_of_repository?
+    Rails.cache.fetch(['RepositoryPolicy#is_member_of_repository?', record, user]) do
+      record.members.exists?(id: user.id)
+    end
+  end
+
+end

app/views/platforms/repositories/show.html.slim

@@ -25,11 +25,10 @@
   .row
     hr
     h3= t("layout.projects.list_header")
-    - if policy(@repository).add_project?
+    - if policy(@repository).update?
       a.btn.btn-primary href=add_project_platform_repository_path(@platform, @repository)
         = t('layout.projects.add')
       |  
-    - if policy(@repository).remove_project?
       a.btn.btn-primary href=remove_project_platform_repository_path(@platform, @repository)
         = t('layout.repositories.mass_delete')
   .row