From 3dbae4917c7955c60944df72a6ce2c9c9d4bd95d Mon Sep 17 00:00:00 2001 From: Elia Schito Date: Wed, 20 Sep 2023 15:50:42 +0200 Subject: [PATCH] Move authorization checks outside of the backend "auth" adapter Those are not dependent on the authentication system. --- .../solidus_admin/accounts_controller.rb | 2 ++ .../authentication_adapters/backend.rb | 15 ++-------- .../solidus_admin/base_controller.rb | 1 + .../controller_helpers/authorization.rb | 29 +++++++++++++++++++ 4 files changed, 34 insertions(+), 13 deletions(-) create mode 100644 admin/app/controllers/solidus_admin/controller_helpers/authorization.rb diff --git a/admin/app/controllers/solidus_admin/accounts_controller.rb b/admin/app/controllers/solidus_admin/accounts_controller.rb index cd3ddaa884f..b43f84c08b2 100644 --- a/admin/app/controllers/solidus_admin/accounts_controller.rb +++ b/admin/app/controllers/solidus_admin/accounts_controller.rb @@ -2,6 +2,8 @@ module SolidusAdmin class AccountsController < SolidusAdmin::BaseController + skip_before_action :authorize_solidus_admin_user! + def show redirect_to spree.edit_admin_user_path(current_solidus_admin_user) end diff --git a/admin/app/controllers/solidus_admin/authentication_adapters/backend.rb b/admin/app/controllers/solidus_admin/authentication_adapters/backend.rb index d59d889bf72..02234657433 100644 --- a/admin/app/controllers/solidus_admin/authentication_adapters/backend.rb +++ b/admin/app/controllers/solidus_admin/authentication_adapters/backend.rb @@ -11,20 +11,9 @@ module SolidusAdmin::AuthenticationAdapters::Backend private def authenticate_solidus_backend_user! - if respond_to?(:model_class, true) && model_class - record = model_class - else - record = controller_name.to_sym - end - authorize! :admin, record - authorize! action_name.to_sym, record - rescue CanCan::AccessDenied - instance_exec(&Spree::Admin::BaseController.unauthorized_redirect) - end + return if spree_current_user - # Needs to be overriden so that we use Spree's Ability rather than anyone else's. - def current_ability - @current_ability ||= Spree::Ability.new(spree_current_user) + instance_exec(&Spree::Admin::BaseController.unauthorized_redirect) end def store_location diff --git a/admin/app/controllers/solidus_admin/base_controller.rb b/admin/app/controllers/solidus_admin/base_controller.rb index 10c4c9eb592..457bc8243be 100644 --- a/admin/app/controllers/solidus_admin/base_controller.rb +++ b/admin/app/controllers/solidus_admin/base_controller.rb @@ -9,6 +9,7 @@ class BaseController < ApplicationController include GearedPagination::Controller include SolidusAdmin::ControllerHelpers::Authentication + include SolidusAdmin::ControllerHelpers::Authorization include SolidusAdmin::ControllerHelpers::Locale include SolidusAdmin::ComponentsHelper include SolidusAdmin::AuthenticationAdapters::Backend if defined?(Spree::Backend) diff --git a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb new file mode 100644 index 00000000000..c0a1d970dce --- /dev/null +++ b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb @@ -0,0 +1,29 @@ +# frozen_string_literal: true + +module SolidusAdmin::ControllerHelpers::Authorization + extend ActiveSupport::Concern + + included do + before_action :authorize_solidus_admin_user! + end + + private + + def current_ability + @current_ability ||= Spree::Ability.new(current_solidus_admin_user) + end + + def authorize_solidus_admin_user! + subject = authorization_subject + + authorize! :admin, subject + authorize! action_name, subject + end + + def authorization_subject + "Spree::#{controller_name.classify}".constantize + rescue NameError + raise NotImplementedError, "Couldn't infer the model class from the controller name, " \ + "please implement `#{self.class}#authorization_subject`." + end +end