From 0d6f7a3bfbf4c87510a1bcf967b618f98e149d49 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <shumakl@purdue.edu>
Date: Tue, 29 Apr 2014 11:25:23 -0400
Subject: clean up permission system

---
 app/controllers/alerts_controller.rb      |  4 ----
 app/controllers/application_controller.rb |  7 +------
 app/controllers/brackets_controller.rb    |  4 ----
 app/controllers/sessions_controller.rb    |  4 ----
 app/controllers/teams_controller.rb       |  4 ----
 app/controllers/tournaments_controller.rb |  4 ----
 app/controllers/users_controller.rb       |  4 ----
 app/models/alert.rb                       |  4 ++++
 app/models/bracket.rb                     |  4 ++++
 app/models/session.rb                     |  4 ++++
 app/models/team.rb                        |  4 ++++
 app/models/tournament.rb                  |  4 ++++
 app/models/user.rb                        |  3 +++
 config/initializers/permissions_system.rb | 11 +++++++++++
 14 files changed, 35 insertions(+), 30 deletions(-)
 create mode 100644 config/initializers/permissions_system.rb

diff --git a/app/controllers/alerts_controller.rb b/app/controllers/alerts_controller.rb
index b728c7e..8f65f3b 100644
--- a/app/controllers/alerts_controller.rb
+++ b/app/controllers/alerts_controller.rb
@@ -73,10 +73,6 @@ class AlertsController < ApplicationController
 		@alert = Alert.find(params[:id])
 	end
 
-	def is_owner?(object)
-		object.author == current_user
-	end
-
 	# Never trust parameters from the scary internet, only allow the white list through.
 	def alert_params
 		params.require(:alert).permit(:author_id, :message)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index d5752aa..d416c94 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -14,7 +14,7 @@ class ApplicationController < ActionController::Base
 	include SimpleCaptcha::ControllerHelpers
 
 	def check_permission(verb, object=nil)
-		unless current_user.can?((verb.to_s+"_"+noun).to_sym) or (!object.nil? and is_owner?(object))
+		unless current_user.can?("#{verb.to_s}_#{noun}".to_sym) or object.try(:check_permission, current_user, verb)
 			respond_to do |format|
 				format.html do
 					if object.nil?
@@ -47,9 +47,4 @@ class ApplicationController < ActionController::Base
 		object = send("set_"+noun)
 		check_permission(:edit, object)
 	end
-
-	# Override this
-	def is_owner?(object)
-		return false
-	end
 end
diff --git a/app/controllers/brackets_controller.rb b/app/controllers/brackets_controller.rb
index e202c96..c5dd887 100644
--- a/app/controllers/brackets_controller.rb
+++ b/app/controllers/brackets_controller.rb
@@ -101,8 +101,4 @@ class BracketsController < ApplicationController
 		puts ">"*80
 		params.require(:bracket).require(:matches)
 	end
-
-	def is_owner?(bracket)
-		bracket.user == current_user
-	end
 end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 9f0a8e3..dfaeebc 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -48,8 +48,4 @@ class SessionsController < ApplicationController
 	def session_params
 		params.require(:session).permit(:session_email, :session_user_name, :session_password)
 	end
-
-	def is_owner?(object)
-		object.user == current_user
-	end
 end
diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb
index 6abc74c..dc85c8e 100644
--- a/app/controllers/teams_controller.rb
+++ b/app/controllers/teams_controller.rb
@@ -70,8 +70,4 @@ class TeamsController < ApplicationController
 	def team_params
 		params[:team]
 	end
-
-	def is_owner?(object)
-		object.users.include?(current_user)
-	end
 end
diff --git a/app/controllers/tournaments_controller.rb b/app/controllers/tournaments_controller.rb
index 0b81dd9..c58eb94 100644
--- a/app/controllers/tournaments_controller.rb
+++ b/app/controllers/tournaments_controller.rb
@@ -210,10 +210,6 @@ class TournamentsController < ApplicationController
 		params.require(:tournament).require(:stages).require(i.to_s).permit(:scheduling_method, :seeding_method)
 	end
 
-	def is_owner?(object)
-		object.hosts.include?(current_user)
-	end
-
 	# Turn of check_edit, since our #update is flexible
 	def check_edit
 		set_tournament
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 767d992..e9efb36 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -93,10 +93,6 @@ class UsersController < ApplicationController
 		@user = User.find(params[:id])
 	end
 
-	def is_owner?(object)
-		object == current_user
-	end
-
 	# Never trust parameters from the scary internet, only allow the white list through.
 	def user_params
 		permitted = [ :name, :email, :user_name, :password, :password_confirmation ]
diff --git a/app/models/alert.rb b/app/models/alert.rb
index 9876711..e8a4cf2 100644
--- a/app/models/alert.rb
+++ b/app/models/alert.rb
@@ -1,3 +1,7 @@
 class Alert < ActiveRecord::Base
 	belongs_to :author, class_name: "User"
+
+	def owned_by?(user)
+		self.author == user
+	end
 end
diff --git a/app/models/bracket.rb b/app/models/bracket.rb
index 48414c3..5aac704 100644
--- a/app/models/bracket.rb
+++ b/app/models/bracket.rb
@@ -3,6 +3,10 @@ class Bracket < ActiveRecord::Base
 	belongs_to :tournament
 	has_many :bracket_matches
 
+	def owned_by?(tuser)
+		self.user == tuser
+	end
+
 	def create_matches
 		tournament.stages.order(:id).first.matches.order(:id).each do |m|
 			bracket_matches.create(match: m)
diff --git a/app/models/session.rb b/app/models/session.rb
index f5e642b..27687eb 100644
--- a/app/models/session.rb
+++ b/app/models/session.rb
@@ -1,6 +1,10 @@
 class Session < ActiveRecord::Base
 	belongs_to :user
 
+	def owned_by?(tuser)
+		self.user == tuser
+	end
+
 	##
 	# Create a random remember token for the user. This will be
 	# changed every time the user creates a new session.
diff --git a/app/models/team.rb b/app/models/team.rb
index 828d168..90981da 100644
--- a/app/models/team.rb
+++ b/app/models/team.rb
@@ -3,4 +3,8 @@ class Team < ActiveRecord::Base
 	has_and_belongs_to_many :users
 
 	alias_attribute :players, :users
+
+	def owned_by?(user)
+		self.users.include?(user)
+	end
 end
diff --git a/app/models/tournament.rb b/app/models/tournament.rb
index 8a96dcc..854b8c9 100644
--- a/app/models/tournament.rb
+++ b/app/models/tournament.rb
@@ -55,6 +55,10 @@ class Tournament < ActiveRecord::Base
 		(not self.scoring_method.try(:empty?)) and (scoring_methods.include? scoring_method)
 	end
 
+	def owned_by?(user)
+		self.hosts.include?(user)
+	end
+
 	# Settings #################################################################
 
 	def settings
diff --git a/app/models/user.rb b/app/models/user.rb
index a39037c..ad95683 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,4 +1,7 @@
 class User < ActiveRecord::Base
+	def owned_by?(tuser)
+		self == tuser
+	end
 	##################################################################
 	# Relationships                                                  #
 	##################################################################
diff --git a/config/initializers/permissions_system.rb b/config/initializers/permissions_system.rb
new file mode 100644
index 0000000..9d1de9f
--- /dev/null
+++ b/config/initializers/permissions_system.rb
@@ -0,0 +1,11 @@
+module ActiveRecord
+	class Base
+		def check_permission(user, verb)
+			user.can?("#{verb.to_s}_#{self.class.name.underscore}".to_sym) or self.owned_by?(user)
+		end
+
+		def owned_by?(user)
+			return false
+		end
+	end
+end
-- 
cgit v1.2.3