Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor permissions to use Pundit for all controlled actions #4741

Open
6 tasks
martinemde opened this issue May 24, 2024 · 0 comments
Open
6 tasks

Refactor permissions to use Pundit for all controlled actions #4741

martinemde opened this issue May 24, 2024 · 0 comments
Assignees
@martinemde
Milestone
Refactor Authoriz...

Comments

@martinemde
Copy link
Member

martinemde commented May 24, 2024
edited
Loading

As a developer, when I want to do something like "only an organization owner can change the owner of a gem that is also owned by an organization", it's currently quite complex.

In owners_controller, right now we authorize ownership changes like this:

  before_action :render_forbidden, unless: :owner?, except: %i[confirm resend_confirmation]

  def owner?
    @rubygem.owned_by?(current_user)
  end

The problem is that this doesn't have any context about what action is happening. Is this adding ownership or removing or just viewing ownerships?

Using pundit (which is already added and used for Avo) we would need to change this so it authorizes creating, destroying or indexing ownerships.

List of controllers needing policies:

  • Owners
  • Rubygems
  • Versions
  • TrustedPublishers
  • ApiKeys
  • WebHooks

... Add more as needed

Note: We should continue to reserve admin related actions to avo_action?. An admin should not be allowed to, e.g. yank or add an owner outside of Avo.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martinemde martinemde

Labels
None yet
Projects
None yet
Milestone
Refactor Authorization
Development

No branches or pull requests
1 participant
@martinemde