Merge pull request #11 from tb/kg_roles

Kg roles

Author: tb

Gemfile

@@ -28,6 +28,9 @@ gem 'jsonapi-resources'
 gem 'factory_girl'
 gem 'faker'
 gem 'devise_token_auth'
+gem 'cancan'
+gem 'rolify'
+gem 'pry'
 
 group :development, :test do
   # Call 'byebug' anywhere in the code to stop execution and get a debugger console

Gemfile.lock

@@ -42,6 +42,8 @@ GEM
     bcrypt (3.1.11)
     builder (3.2.3)
     byebug (9.0.6)
+    cancan (1.6.10)
+    coderay (1.1.1)
     concurrent-ruby (1.0.5)
     devise (4.2.0)
       bcrypt (~> 3.0)
@@ -86,6 +88,10 @@ GEM
       mini_portile2 (~> 2.1.0)
     orm_adapter (0.5.0)
     pg (0.20.0)
+    pry (0.10.4)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
     puma (3.8.2)
     rack (2.0.1)
     rack-cors (0.4.1)
@@ -120,6 +126,7 @@ GEM
       ffi (>= 0.5.0)
     responders (2.3.0)
       railties (>= 4.2.0, < 5.1)
+    rolify (5.1.0)
     rspec-core (3.5.4)
       rspec-support (~> 3.5.0)
     rspec-expectations (3.5.0)
@@ -137,6 +144,7 @@ GEM
       rspec-mocks (~> 3.5.0)
       rspec-support (~> 3.5.0)
     rspec-support (3.5.0)
+    slop (3.6.0)
     spring (2.0.1)
       activesupport (>= 4.2)
     spring-watcher-listen (2.0.1)
@@ -164,16 +172,19 @@ PLATFORMS
 
 DEPENDENCIES
   byebug
+  cancan
   devise_token_auth
   factory_girl
   faker
   foreman
   jsonapi-resources
   listen (~> 3.0.5)
   pg (~> 0.18)
+  pry
   puma (~> 3.0)
   rack-cors
   rails (~> 5.0.2)
+  rolify
   rspec-rails
   spring
   spring-watcher-listen (~> 2.0.0)

app/controllers/application_controller.rb

@@ -2,4 +2,8 @@ class ApplicationController < ActionController::Base
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
   # protect_from_forgery with: :null_session
+  #
+  rescue_from CanCan::AccessDenied do |exception|
+    render json: { message: "You don't have permissions." }, status: :forbidden
+  end
 end

app/controllers/roles_controller.rb

@@ -0,0 +1,2 @@
+class RolesController < AuthorizedController
+end

app/controllers/users_controller.rb

@@ -1,2 +1,3 @@
 class UsersController < AuthorizedController
+  load_and_authorize_resource
 end

app/models/ability.rb

@@ -0,0 +1,15 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    user ||= User.new # guest user (not logged in)
+    if user.is_admin?
+      can :manage, :all
+    else
+      can :manage, Post
+      can :manage, Category
+      can :manage, Comment
+      can :update, User, id: user.id
+    end
+  end
+end

app/models/role.rb

@@ -0,0 +1,13 @@
+class Role < ApplicationRecord
+  has_and_belongs_to_many :users, :join_table => :users_roles
+
+  belongs_to :resource,
+             :polymorphic => true,
+             :optional => true
+
+  validates :resource_type,
+            :inclusion => { :in => Rolify.resource_types },
+            :allow_nil => true
+
+  scopify
+end

app/models/user.rb

@@ -1,9 +1,18 @@
 class User < ActiveRecord::Base
+  rolify
+  has_and_belongs_to_many :roles, :join_table => :users_roles
+
   # Include default devise modules.
   devise :database_authenticatable, :registerable,
           :recoverable, :rememberable, :trackable, :validatable,
           :confirmable
   include DeviseTokenAuth::Concerns::User
 
   scope :email_contains, -> (value) { where('email ILIKE ?', "%#{value.join}%") }
+
+  def token_validation_response
+    self.as_json(except: [
+      :tokens, :created_at, :updated_at
+    ]).merge(roles: self.roles.map(&:name))
+  end
 end

app/resources/role_resource.rb

@@ -0,0 +1,3 @@
+class RoleResource < JSONAPI::Resource
+  attributes :name
+end

app/resources/user_resource.rb

@@ -1,7 +1,18 @@
 class UserResource < JSONAPI::Resource
   extend ModelFilter
-  attributes :email, :confirmed_at, :created_at
+  attributes :email, :confirmed_at, :created_at, :roles
 
   paginator :paged
   model_filters :email_contains
+
+  def roles
+    @model.roles.pluck(:name)
+  end
+
+  def roles=(roles)
+    @model.roles.destroy_all
+    roles.map do |role|
+      @model.add_role role
+    end
+  end
 end