Use pundit policies to disable selfdestroy

slovensko-digital · Dec 3, 2023 · 5922070 · 5922070
1 parent 138e7f9
commit 5922070
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 28 deletions.
diff --git a/app/components/admin/groups/members_list_row_component.html.erb b/app/components/admin/groups/members_list_row_component.html.erb
@@ -5,7 +5,7 @@
   <div class="text-center text-gray-900 text-lg font-medium leading-loose"><%= @user.name %></div>
   <div class="text-center text-gray-500 text-base font-normal leading-normal"><%= @user.email %></div>
 </div>
-<% unless @group_membership.group.type == "AdminGroup" && @group_membership.user == Current.user %>
+<% if Pundit.policy(Current.user, [:admin, @group_membership]).destroy? %>
   <%= button_to admin_tenant_group_group_membership_path(Current.tenant, @group_membership.group, @group_membership), method: :delete do %>
     <%= render Common::DeleteButtonComponent.new %>
   <% end %>

diff --git a/app/components/admin/users/users_list_row_component.html.erb b/app/components/admin/users/users_list_row_component.html.erb
@@ -19,8 +19,8 @@
     <%= link_to edit_admin_tenant_user_path(@user.tenant, @user) do %>
       <%= render Common::EditButtonComponent.new %>
     <% end %>
-    <% unless @user == Current.user %>
-      <%= button_to admin_tenant_user_path(@user.tenant, @user), method: :delete do %>
+    <% if Pundit.policy(Current.user, [:admin, @user]).destroy? %>
+      <%= button_to admin_tenant_user_path(@user.tenant, [:admin, @user]), method: :delete do %>
         <%= render Common::DeleteButtonComponent.new %>
       <% end %>
     <% end %>

diff --git a/app/policies/admin/group_membership_policy.rb b/app/policies/admin/group_membership_policy.rb
@@ -13,19 +13,11 @@ def resolve
       if @user.site_admin?
         scope.all
       else
-        scope.includes(:user, :group).where(user: {tenant_id: Current.tenant.id}, group: {tenant_id: Current.tenant.id})
+        scope.includes(:user, :group).where(user: { tenant_id: Current.tenant.id }, group: { tenant_id: Current.tenant.id })
       end
     end
   end
 
-  def index
-    @user.site_admin? || @user.admin?
-  end
-
-  def show?
-    @user.site_admin? || @user.admin?
-  end
-
   def create?
     return false if !@user.site_admin? && !@user.admin?
     return false unless @group_membership.group.tenant == Current.tenant
@@ -34,20 +26,7 @@ def create?
     true
   end
 
-  def new?
-    create?
-  end
-
-  def update?
-    @user.site_admin? || @user.admin?
-  end
-
-  def edit?
-    update?
-  end
-
   def destroy?
-    @user.site_admin? || @user.admin?
+    (@user.site_admin? || @user.admin?) && !(@group_membership.user == @user && @group_membership.group.type == 'AdminGroup')
   end
 end
-
diff --git a/app/policies/admin/user_policy.rb b/app/policies/admin/user_policy.rb
@@ -5,6 +5,7 @@ class Admin::UserPolicy < ApplicationPolicy
 
   def initialize(user_logged_in, user_to_authorize)
     @user = user_logged_in
+    @user_to_authorize = user_to_authorize
   end
 
   class Scope < Scope
@@ -42,7 +43,6 @@ def edit?
   end
 
   def destroy?
-    @user.site_admin? || @user.admin?
+    (@user.site_admin? || @user.admin?) && @user_to_authorize != @user
   end
-
 end