Lock down the controllers

Gemfile

@@ -53,7 +53,7 @@ gem 'kaminari', '~> 0.16.1'
 gem 'ransack', '~> 1.3.0'
 
 # for rights
-gem 'cancan', '~> 1.6.10'
+gem 'cancancan', '~> 1.9.2'
 
 # for login
 gem 'devise', '~> 3.3.0'
@@ -135,6 +135,9 @@ group :development, :test do
 
   # faster dev load time
   gem 'unicorn'
+
+  # for opening browser automatically
+  gem 'launchy', '~> 2.4.3'
 end
 
 group :development do

Gemfile.lock

@@ -29,6 +29,7 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.1)
       tzinfo (~> 1.1)
+    addressable (2.3.6)
     arel (5.0.1.20140414130214)
     ast (2.0.0)
     astrolabe (1.3.0)
@@ -64,7 +65,7 @@ GEM
     bundler-audit (0.3.1)
       bundler (~> 1.2)
       thor (~> 0.18)
-    cancan (1.6.10)
+    cancancan (1.9.2)
     capybara (2.4.3)
       mime-types (>= 1.16)
       nokogiri (>= 1.3.3)
@@ -161,6 +162,8 @@ GEM
       actionpack (>= 3.0.0)
       activesupport (>= 3.0.0)
     kgio (2.9.2)
+    launchy (2.4.3)
+      addressable (~> 2.3)
     libv8 (3.16.14.7)
     libxml-ruby (2.7.0)
     listen (2.7.11)
@@ -376,7 +379,7 @@ DEPENDENCIES
   brakeman (~> 2.6.2)
   bullet (~> 4.14.0)
   bundler-audit
-  cancan (~> 1.6.10)
+  cancancan (~> 1.9.2)
   capybara (~> 2.4.1)
   coffee-rails (~> 4.0.0)
   daemons
@@ -395,6 +398,7 @@ DEPENDENCIES
   jbuilder (~> 2.0)
   jquery-rails
   kaminari (~> 0.16.1)
+  launchy (~> 2.4.3)
   mina (~> 0.3.1)
   nokogiri (~> 1.6.2.1)
   nprogress-rails (~> 0.1.3.1)

app/controllers/admin/contacts_controller.rb

@@ -1,4 +1,5 @@
 class Admin::ContactsController < AdminController
+  load_and_authorize_resource
   before_action :set_contact, only: [:show]
 
   def index

app/controllers/admin/dashboards_controller.rb

@@ -0,0 +1,5 @@
+class Admin::DashboardsController < AdminController
+  authorize_resource class: false
+
+  def show; end
+end

app/controllers/admin/delayed_jobs_controller.rb

@@ -1,4 +1,6 @@
 class Admin::DelayedJobsController < AdminController
+  authorize_resource class: false
+
   def index
     @jobs = Delayed::Job.all
   end

app/controllers/admin/domain_versions_controller.rb

@@ -1,4 +1,6 @@
 class Admin::DomainVersionsController < AdminController
+  load_and_authorize_resource
+
   def index
     @q = DomainVersion.deleted.search(params[:q])
     @domains = @q.result.page(params[:page])

app/controllers/admin/domains_controller.rb

@@ -1,4 +1,5 @@
 class Admin::DomainsController < AdminController
+  load_and_authorize_resource
   before_action :set_domain, only: [:show, :edit, :update, :zonefile]
 
   def index

app/controllers/admin/epp_users_controller.rb

@@ -1,4 +1,5 @@
 class Admin::EppUsersController < AdminController
+  load_and_authorize_resource
   before_action :set_epp_user, only: [:show, :edit, :update, :destroy]
 
   def index

app/controllers/admin/registrars_controller.rb

@@ -1,4 +1,5 @@
 class Admin::RegistrarsController < AdminController
+  load_and_authorize_resource
   before_action :set_registrar, only: [:show, :edit, :update, :destroy]
   def search
     render json: Registrar.search_by_query(params[:q])

app/controllers/admin/settings_controller.rb

@@ -1,4 +1,5 @@
 class Admin::SettingsController < AdminController
+  load_and_authorize_resource
   before_action :set_setting_group, only: [:show, :update]
 
   def index

app/controllers/admin/users_controller.rb

@@ -1,4 +1,5 @@
 class Admin::UsersController < AdminController
+  load_and_authorize_resource
   before_action :set_user, only: [:show, :edit, :update, :destroy]
 
   def index
@@ -54,6 +55,6 @@ class Admin::UsersController < AdminController
 
   def user_params
     params.require(:user).permit(:username, :password, :identity_code, :email,
-                                 :admin, :country_id)
+                                 :role_id, :country_id)
   end
 end

app/controllers/admin/zonefile_settings_controller.rb

@@ -1,4 +1,5 @@
 class Admin::ZonefileSettingsController < ApplicationController
+  load_and_authorize_resource
   before_action :set_zonefile_setting, only: [:update, :edit]
   def index
     @zonefile_settings = ZonefileSetting.all

app/controllers/admin/zonefiles_controller.rb

@@ -1,8 +1,7 @@
 class Admin::ZonefilesController < ApplicationController
+  authorize_resource class: false
   # TODO: Refactor this
   # rubocop:disable Metrics/MethodLength
-  def index
-  end
 
   def create
     if ZonefileSetting.pluck(:origin).include?(params[:origin])

app/controllers/admin_controller.rb

@@ -1,7 +1,3 @@
 class AdminController < ApplicationController
-  # before_action :verify_admin
+  check_authorization
-
-  def verify_admin
-    redirect_to client_root_path unless current_user.try(:admin?)
-  end
 end

app/controllers/application_controller.rb

@@ -14,3 +14,9 @@ class ApplicationController < ActionController::Base
     admin_root_path
   end
 end
+
+class ApplicationController < ActionController::Base
+  rescue_from CanCan::AccessDenied do |exception|
+    redirect_to admin_dashboard_path, alert: exception.message
+  end
+end

app/controllers/sessions_controller.rb

@@ -8,8 +8,6 @@ class SessionsController < Devise::SessionsController
 
     return redirect_to :back, alert: 'No user' if @user.blank?
 
-    session[:current_user_registrar_id] = Registrar.first.id if @user.admin?
-
     flash[:notice] = I18n.t('shared.welcome')
     sign_in_and_redirect @user, event: :authentication
     # end
@@ -18,10 +16,4 @@ class SessionsController < Devise::SessionsController
   def login
     render 'layouts/login', layout: false
   end
-
-  def switch_registrar
-    authorize! :switch, :registrar
-    session[:current_user_registrar_id] = params[:registrar_id]
-    redirect_to client_root_path
-  end
 end

app/models/ability.rb

@@ -8,38 +8,33 @@ class Ability
 
     user ||= User.new
 
-    if Rails.env.production?
+    admin_role = (user.role.try(:code) == 'admin')
-      case REGISTRY_ENV
+    user_role = (user.role.try(:code) == 'user')
-      when :eedirekt
+    customer_service_role = (user.role.try(:code) == 'customer_service')
-        can :view, :eedirekt
+    no_role = user.role.nil?
-        can :create, :session
+
-        admin = false
+    if admin_role
-      when :registrar
+      can :manage, Domain
-        can :view, :registrar
+      can :manage, Contact
-        can :create, :session
+      can :manage, Registrar
-        admin = false
+      can :manage, Setting
-      when :admin
+      can :manage, ZonefileSetting
-        can :create, :admin_session
+      can :manage, DomainVersion
-        admin = user.admin?
+      can :manage, User
-      end
+      can :manage, EppUser
-    else
+      can :index, :delayed_job
-      can :create, :session
+      can :create, :zonefile
-      can :create, :admin_session
+      can :access, :settings_menu
-      admin = user.admin?
+    elsif customer_service_role
+      can :manage, Domain
+      can :manage, Contact
+      can :manage, Registrar
+    elsif user_role
+    elsif no_role
+      can :show, :dashboard
     end
 
-    if admin
+    can :show, :dashboard if user.persisted?
-      can :manage, Domain
-      can :switch, :registrar
-      can :crud, DomainTransfer
-      can :approve_as_client, DomainTransfer, status: DomainTransfer::PENDING
-    elsif user.persisted?
-      can :manage, Domain, registrar_id: user.registrar.id
-      can :read, DomainTransfer, transfer_to_id: user.registrar.id
-      can :read, DomainTransfer, transfer_from_id: user.registrar.id
-      can :approve_as_client, DomainTransfer, 
-          transfer_from_id: user.registrar.id, status: DomainTransfer::PENDING
-    end
 
     # Define abilities for the passed in user here. For example:
     #

app/models/role.rb

@@ -3,4 +3,10 @@ class Role < ActiveRecord::Base
   # rubocop: disable Rails/HasAndBelongsToMany
   has_and_belongs_to_many :rights
   # rubocop: enbale Rails/HasAndBelongsToMany
+
+  validates :code, uniqueness: true
+
+  def to_s
+    code
+  end
 end

app/views/admin/domains/index.haml

@@ -33,7 +33,7 @@
           - @domains.each do |x|
             %tr
               %td= link_to(x, admin_domain_path(x))
-              %td= link_to(x.registrar, root_path) if x.registrar
+              %td= link_to(x.registrar, admin_registrar_path(x.registrar)) if x.registrar
               %td= link_to(x.owner_contact, [:admin, x.owner_contact])
               %td= l(x.valid_to, format: :short)
 .row

app/views/admin/users/_form.haml

@@ -21,15 +21,14 @@
         = f.label :identity_code
         = f.text_field(:identity_code, class: 'form-control')
 
-    .col-md-6.text-left
+    .col-md-6
       .form-group
         = f.label :email
         = f.text_field(:email, class: 'form-control')
       .form-group
-        .checkbox
+        = f.label :role_id
-          %label{for: 'user_admin'}
+        = f.select(:role_id, Role.all.map {|x| [t(x.code), x.id] }, {}, { class: 'form-control selectize' })
-            = f.check_box(:admin, class: 'js-admin')
+
-            = t('shared.admin')
   %hr
   .row
     .col-md-12.text-right

app/views/admin/users/index.haml

@@ -18,14 +18,17 @@
             %th{class: 'col-xs-2'}
               = sort_link(@q, 'identity_code', t('shared.identity_code'))
             %th{class: 'col-xs-2'}
-              = sort_link(@q, 'admin', t('shared.admin'))
+              = sort_link(@q, 'role', t('role'))
         %tbody
           - @users.each do |x|
             %tr
               %td= link_to(x, [:admin, x])
               %td= x.email
               %td= x.identity_code
-              %td= x.admin
+              - if x.role
+                %td= t(x.role)
+              - else
+                %td
 .row
   .col-md-12
     = paginate @users

app/views/admin/users/show.haml

@@ -39,5 +39,8 @@
           %dt= t('shared.email')
           %dd= @user.email
 
-          %dt= t('shared.admin')
+          %dt= t('role')
-          %dd= @user.admin
+          - if @user.role
+            %dd= t(@user.role)
+          - else
+            %dd

app/views/admin/zonefiles/index.haml

@@ -1,9 +0,0 @@
-.row
-  .col-sm-12
-    %h2.text-center-xs
-      = "#{t('zonefile')}"
-%hr
-.row
-  .col-md-12
-    = preserve do
-      %pre= @zonefile

app/views/layouts/application.haml

@@ -26,6 +26,7 @@
             %li= link_to t('shared.domains'), admin_domains_path
             %li= link_to t('shared.contacts'), admin_contacts_path
             %li= link_to t('shared.registrars'), admin_registrars_path
+            - if can?(:access, :settings_menu)
               %li.dropdown
                 %a.dropdown-toggle{"data-toggle" => "dropdown", href: "#"}
                   = t('shared.settings')

app/views/layouts/login.haml

@@ -21,7 +21,6 @@
         %h2.form-signin-heading.text-center Eesti Interneti SA
         %hr
         / TODO: Refactor this when ID card login is done
-        - if can? :create, :admin_session
         = button_to 'ID card (user1)', 'sessions',
           class: 'btn btn-lg btn-primary btn-block', name: 'user1'
         = button_to 'ID card (user2)', 'sessions',

config/locales/en.yml

@@ -439,3 +439,7 @@ en:
   domains_history: Domains history
   admin_users: Admin users
   epp_users: EPP users
+  role: 'Role'
+  admin: 'Administrator'
+  user: 'User'
+  customer_service: 'Customer service'

config/routes.rb

@@ -31,6 +31,8 @@ Rails.application.routes.draw do
 
     resources :delayed_jobs
 
+    resource :dashboard
+
     root 'domains#index'
 
   end

db/migrate/20141218154829_populate_roles.rb

@@ -0,0 +1,12 @@
+class PopulateRoles < ActiveRecord::Migration
+  def change
+    rename_column :roles, :name, :code
+    remove_column :users, :admin, :boolean
+
+    Role.create(code: 'admin')
+    Role.create(code: 'user')
+    Role.create(code: 'customer_service')
+
+    User.update_all(role_id: Role.first.id)
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20141216133831) do
+ActiveRecord::Schema.define(version: 20141218154829) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -296,7 +296,7 @@ ActiveRecord::Schema.define(version: 20141216133831) do
   end
 
   create_table "roles", force: true do |t|
-    t.string   "name"
+    t.string   "code"
     t.datetime "created_at"
     t.datetime "updated_at"
   end
@@ -324,7 +324,6 @@ ActiveRecord::Schema.define(version: 20141216133831) do
     t.datetime "last_sign_in_at"
     t.inet     "current_sign_in_ip"
     t.inet     "last_sign_in_ip"
-    t.boolean  "admin",              default: false
     t.string   "identity_code"
     t.integer  "country_id"
   end

spec/fabricators/role_fabricator.rb

@@ -0,0 +1,3 @@
+Fabricator(:role) do
+  code 'admin'
+end

spec/fabricators/user_fabricator.rb

@@ -3,6 +3,6 @@ Fabricator(:user) do
   password 'ghyt9e4fu'
   email 'info@gitlab.eu'
   identity_code '37810013108'
-  admin true
   country
+  role
 end

spec/features/sessions_spec.rb

@@ -6,8 +6,7 @@ feature 'Sessions', type: :feature do
 
   background do
     create_settings
-    Fabricate(:user, identity_code: '37810013261')
+    Fabricate(:user, username: 'zone', identity_code: '37810013087')
-    Fabricate(:user, username: 'zone', admin: false, identity_code: '37810013087')
     Fabricate.times(2, :domain, registrar: zone)
     Fabricate.times(2, :domain, registrar: elkdata)
   end

spec/features/setting_management_spec.rb

@@ -1,14 +1,13 @@
 require 'rails_helper'
 
 feature 'Setting management', type: :feature do
-  let(:user) { Fabricate(:user, username: 'user1', admin: true, identity_code: '37810013087') }
+  let(:user) { Fabricate(:user, username: 'user1', identity_code: '37810013087') }
 
   background { create_settings }
 
   scenario 'User changes a setting' do
     sign_in user
     visit admin_settings_path
-
     val_min = find_field('_settings_ns_min_count').value
     val_max = find_field('_settings_ns_max_count').value
 

spec/models/user_spec.rb

@@ -1,5 +1,43 @@
 require 'rails_helper'
+require 'cancan/matchers'
 
 describe User do
   it { should belong_to(:role) }
+
+  describe 'abilities' do
+    subject(:ability) { Ability.new(user) }
+    let(:user) { nil }
+
+    context 'when user is admin' do
+      let(:user) { Fabricate(:user) }
+
+      it { should be_able_to(:manage, Domain.new) }
+      it { should be_able_to(:manage, Contact.new) }
+      it { should be_able_to(:manage, Registrar.new) }
+      it { should be_able_to(:manage, Setting.new) }
+      it { should be_able_to(:manage, ZonefileSetting.new) }
+      it { should be_able_to(:manage, DomainVersion.new) }
+      it { should be_able_to(:manage, User.new) }
+      it { should be_able_to(:manage, EppUser.new) }
+      it { should be_able_to(:index, :delayed_job) }
+      it { should be_able_to(:create, :zonefile) }
+      it { should be_able_to(:access, :settings_menu) }
+    end
+
+    context 'when user is customer service' do
+      let(:user) { Fabricate(:user, role: Role.new(code: 'customer_service')) }
+
+      it { should be_able_to(:manage, Domain.new) }
+      it { should be_able_to(:manage, Contact.new) }
+      it { should be_able_to(:manage, Registrar.new) }
+      it { should_not be_able_to(:manage, Setting.new) }
+      it { should_not be_able_to(:manage, ZonefileSetting.new) }
+      it { should_not be_able_to(:manage, DomainVersion.new) }
+      it { should_not be_able_to(:manage, User.new) }
+      it { should_not be_able_to(:manage, EppUser.new) }
+      it { should_not be_able_to(:index, :delayed_job) }
+      it { should_not be_able_to(:create, :zonefile) }
+      it { should_not be_able_to(:access, :settings_menu) }
+    end
+  end
 end

spec/support/feature.rb

@@ -1,7 +1,7 @@
 module Feature
   def sign_in(user)
     visit '/logout'
-    click_on 'ID card (gitlab)' if user.username == 'gitlab'
+    click_on 'ID card (user1)' if user.username == 'user1'
   end
 end