Authorization framework with Action Policy

Gemfile

@@ -164,3 +164,6 @@ gem "gretel", "~> 4.5"
 gem "ransack"
 
 gem "rails-controller-testing"
+
+# Use Action Policy for authorization framework
+gem "action_policy", "~> 0.6.8"

Gemfile.lock

@@ -1,6 +1,8 @@
 GEM
   remote: https://rubygems.org/
   specs:
+    action_policy (0.6.8)
+      ruby-next-core (>= 1.0)
     actioncable (7.0.8.1)
       actionpack (= 7.0.8.1)
       activesupport (= 7.0.8.1)
@@ -380,6 +382,7 @@ GEM
     rubocop-performance (1.18.0)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
+    ruby-next-core (1.0.0)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     rubyzip (2.3.2)
@@ -470,6 +473,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  action_policy (~> 0.6.8)
   active_link_to
   active_storage_validations
   acts_as_tenant

app/controllers/adoptable_pets_controller.rb

@@ -1,16 +1,16 @@
 class AdoptablePetsController < Organizations::BaseController
+  skip_verify_authorized only: %i[index]
+
   def index
-    @pets = Pet.includes(:adopter_applications, images_attachments: :blob)
-      .published
-      .where
-      .missing(:match)
+    @pets = authorized_scope(
+      Pet.includes(:adopter_applications, images_attachments: :blob),
+      with: AdoptablePetPolicy
+    )
   end
 
   def show
     @pet = Pet.find(params[:id])
-    unless @pet.published
-      redirect_to adoptable_pets_path, alert: "You can only view published pets."
-    end
+    authorize! @pet, with: AdoptablePetPolicy
 
     if current_user&.adopter_account
       @adoption_application =
@@ -22,9 +22,5 @@ def show
           adopter_account: current_user.adopter_account
         )
     end
-
-    return unless @pet.match
-
-    redirect_to adoptable_pets_path, alert: "You can only view pets that need adoption."
   end
 end

app/controllers/adopter_applications_controller.rb

@@ -1,35 +1,37 @@
 class AdopterApplicationsController < ApplicationController
-  before_action :authenticate_user!, :adopter_with_profile
-  before_action :check_pet_app_status, only: [:create]
+  before_action :authenticate_user!
 
   def index
-    @applications = AdopterApplication.where(adopter_account_id:
-                                             current_user.adopter_account.id)
+    authorize!
+
+    @applications = authorized_scope(AdopterApplication.all)
   end
 
-  # add check if application already exists
   def create
+    @pet = Pet.find(application_params[:pet_id])
+    authorize! context: {pet: @pet}
+
     @application = AdopterApplication.new(application_params)
 
     if @application.save
       redirect_to adoptable_pet_path(@application.pet),
         notice: "Application submitted! #{MessagesHelper.affirmations.sample}"
 
       # mailer
-      @pet = @application.pet
       @org_staff = User.organization_staff(@pet.organization_id)
       StaffApplicationNotificationMailer.with(pet: @pet,
         organization_staff: @org_staff)
         .new_adoption_application.deliver_now
     else
-      redirect_to adoptable_pet_path(@application.pet),
+      redirect_to adoptable_pet_path(@pet),
         alert: "Error. Please try again."
     end
   end
 
   # update :status to 'withdrawn' or :profile_show to false
   def update
     @application = AdopterApplication.find(params[:id])
+    authorize! @application
 
     if @application.update(application_params)
       redirect_to adopter_applications_path
@@ -48,13 +50,4 @@ def application_params
       :profile_show
     )
   end
-
-  def check_pet_app_status
-    pet = Pet.find(params[:adopter_application][:pet_id])
-
-    return if pet.application_paused == false
-
-    redirect_to adoptable_pet_path(params[:adopter_application][:pet_id]),
-      alert: "Applications are paused for this pet"
-  end
 end

app/controllers/adopter_foster_profiles_controller.rb

@@ -1,18 +1,11 @@
 class AdopterFosterProfilesController < ApplicationController
-  # staff and admin cannot create a profile
   before_action :authenticate_user!
-  before_action :check_if_adopter, only: [:new, :create, :update, :show]
+  before_action :authorize!, only: %i[new create]
+  before_action :set_profile, only: %i[show edit update]
 
-  # only allow new profile if one does not exist
-  # belongs_to for location provides new method build_location
-  # https://guides.rubyonrails.org/association_basics.html#the-belongs-to-association
   def new
-    if profile_nil?
-      @adopter_foster_profile = AdopterFosterProfile.new
-      @adopter_foster_profile.build_location
-    else
-      redirect_to profile_path
-    end
+    @adopter_foster_profile = AdopterFosterProfile.new
+    @adopter_foster_profile.build_location
   end
 
   def create
@@ -28,15 +21,12 @@ def create
   end
 
   def show
-    @adopter_foster_profile = current_user.adopter_account.adopter_foster_profile
   end
 
   def edit
-    @adopter_foster_profile = current_user.adopter_account.adopter_foster_profile
   end
 
   def update
-    @adopter_foster_profile = current_user.adopter_account.adopter_foster_profile
     respond_to do |format|
       if @adopter_foster_profile.update(adopter_foster_profile_params)
         format.html { redirect_to profile_path, notice: "Profile updated" }
@@ -48,8 +38,9 @@ def update
 
   private
 
-  def profile_nil?
-    AdopterFosterProfile.where(adopter_account_id: current_user.adopter_account.id)[0].nil?
+  def set_profile
+    @adopter_foster_profile = current_user.adopter_account.adopter_foster_profile
+    authorize! @adopter_foster_profile
   end
 
   def adopter_foster_profile_params

app/controllers/application_controller.rb

@@ -1,4 +1,6 @@
 class ApplicationController < ActionController::Base
+  verify_authorized unless: :devise_controller?
+
   before_action :set_current_user
   around_action :switch_locale
 
@@ -11,37 +13,9 @@ def switch_locale(&action)
     I18n.with_locale(locale, &action)
   end
 
-  private
-
-  def adopter_with_profile
-    return if current_user.adopter_account&.adopter_foster_profile
-
-    redirect_to root_path, alert: "Unauthorized action."
-  end
-
-  def check_if_adopter
-    return if current_user.adopter_account
-
-    redirect_to root_path, alert: "Profiles are for adopters only"
-  end
-
-  def active_staff
-    return if user_signed_in? &&
-      current_user.staff_account &&
-      !current_user.staff_account.deactivated?
-
-    redirect_to root_path, alert: "Unauthorized action."
-  end
-
-  def pet_in_same_organization?(org_id)
-    current_user.staff_account.organization_id == org_id
-  end
-
-  def require_organization_admin
-    return if user_signed_in? &&
-      current_user.staff_account &&
-      current_user.staff_account.has_role?(:admin, current_user.staff_account.organization)
+  rescue_from ActionPolicy::Unauthorized do |ex|
+    flash[:alert] = "You are not authorized to perform this action."
 
-    redirect_to root_path, alert: "Unauthorized action."
+    redirect_back fallback_location: root_path
   end
 end

app/controllers/attachments_controller.rb

@@ -1,8 +1,8 @@
 class AttachmentsController < ApplicationController
-  before_action :active_staff
-
   def purge
     @attachment = ActiveStorage::Attachment.find(params[:id])
+    authorize! @attachment
+
     @attachment.purge
     redirect_to request.referrer, notice: "Attachment removed"
   end

app/controllers/concerns/organization_scopable.rb

@@ -15,20 +15,17 @@ def set_tenant
   end
 
   def after_sign_in_path_for(resource_or_scope)
-    if resource_or_scope.staff_account&.deactivated?
-      adoptable_pets_path
-    else
+    if allowed_to?(
+      :index?, Pet, namespace: Organizations,
+      context: {organization: Current.organization}
+    )
       pets_path
+    else
+      adoptable_pets_path
     end
   end
 
   def after_sign_out_path_for(resource_or_scope)
     adoptable_pets_path
   end
-
-  def verify_organization_for_current_user
-    if current_user.blank? || current_user.organization.id != ActsAsTenant.current_tenant.id
-      redirect_to root_path, alert: "Wrong organization."
-    end
-  end
 end

app/controllers/contacts_controller.rb

@@ -1,4 +1,6 @@
 class ContactsController < ApplicationController
+  skip_verify_authorized only: %i[new create]
+
   def new
     @contact = Contact.new
   end

app/controllers/donations_controller.rb

@@ -1,4 +1,6 @@
 class DonationsController < ApplicationController
+  skip_verify_authorized only: %i[create]
+
   def create
     @mapped_response = PaypalResponseMapper.new(params) if params[:source] == "Paypal"
 

app/controllers/errors_controller.rb

@@ -1,4 +1,6 @@
 class ErrorsController < ApplicationController
+  skip_verify_authorized
+
   def not_found
     render status: 404
   end

app/controllers/matches_controller.rb

@@ -1,10 +1,10 @@
 class MatchesController < ApplicationController
-  before_action :active_staff, :same_organization?
-
   before_action :set_pet, only: %i[create]
   before_action :set_match, only: %i[destroy]
 
   def create
+    authorize! context: {organization: @pet.organization}
+
     @match = Match.new(match_params.merge(
       organization_id: @pet.organization_id
     ))
@@ -40,18 +40,6 @@ def set_pet
 
   def set_match
     @match = Match.find(params[:id])
-  end
-
-  def get_pet_id
-    return match_params[:pet_id] if match_params[:pet_id]
-
-    Match.find(params[:id]).pet_id
-  end
-
-  # staff and pet in the same org?
-  def same_organization?
-    return if current_user.staff_account.organization_id == Pet.find(get_pet_id).organization.id
-
-    redirect_to root_path, alert: "Unauthorized action."
+    authorize! @match
   end
 end

app/controllers/organizations/adoption_application_reviews_controller.rb

@@ -1,9 +1,15 @@
 class Organizations::AdoptionApplicationReviewsController < Organizations::BaseController
-  before_action :active_staff
+  before_action :set_adopter_application, only: %i[edit update]
+
   layout "dashboard"
 
   def index
-    @q = Pet.org_pets_with_apps(current_user.staff_account.organization_id).ransack(params[:q])
+    authorize! AdopterApplication,
+      context: {organization: current_user.organization}
+
+    @q = authorized_scope(
+      Pet.org_pets_with_apps(current_user.staff_account.organization_id)
+    ).ransack(params[:q])
     @pets_with_applications = @q.result.includes(:adopter_applications)
     @pet = selected_pet
 
@@ -14,32 +20,17 @@ def index
     end
   end
 
-  def filter_by_application_status(pets_relation, status_filter)
-    pets_relation.joins(:adopter_applications).where(adopter_applications: {status: status_filter})
-  end
-
   def edit
-    @application = AdopterApplication.find(params[:id])
-
-    return if pet_in_same_organization?(@application.pet.organization_id)
-
-    redirect_to dashboard_index_path,
-      alert: 'Staff can only edit applications for their organization
-                        pets.'
   end
 
   def update
-    @application = AdopterApplication.find(params[:id])
     @applications_tab = request.referrer.include?("applications") # Change table display in pets/applications tab
 
-    if pet_in_same_organization?(@application.pet.organization_id) &&
-        @application.update(application_params)
-      respond_to do |format|
+    respond_to do |format|
+      if @application.update(application_params)
         format.html { redirect_to dashboard_index_path }
         format.turbo_stream { flash.now[:notice] = "Application was successfully updated." }
-      end
-    else
-      respond_to do |format|
+      else
         format.html { render :edit, status: :unprocessable_entity }
         format.turbo_stream { flash.now[:alert] = "Error updating application" }
       end
@@ -52,10 +43,19 @@ def application_params
     params.require(:adopter_application).permit(:status, :notes, :profile_show)
   end
 
+  def set_adopter_application
+    @application = AdopterApplication.find(params[:id])
+    authorize! @application
+  end
+
   # use where to return a relation for the view
   def selected_pet
     return if !params[:pet_id] || params[:pet_id] == ""
 
     Pet.where(id: params[:pet_id])
   end
+
+  def filter_by_application_status(pets_relation, status_filter)
+    pets_relation.joins(:adopter_applications).where(adopter_applications: {status: status_filter})
+  end
 end