Move authorization checks outside of the backend "auth" adapter

Those are not dependent on the authentication system.
solidusio · Sep 27, 2023 · 673deb7 · 673deb7
1 parent 09ed961
commit 673deb7
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 13 deletions.
diff --git a/admin/app/controllers/solidus_admin/accounts_controller.rb b/admin/app/controllers/solidus_admin/accounts_controller.rb
@@ -2,6 +2,8 @@
 
 module SolidusAdmin
  class AccountsController < SolidusAdmin::BaseController
+ skip_before_action :authorize_solidus_admin_user!
+
  def show
  redirect_to spree.edit_admin_user_path(current_solidus_admin_user)
  end

diff --git a/admin/app/controllers/solidus_admin/authentication_adapters/backend.rb b/admin/app/controllers/solidus_admin/authentication_adapters/backend.rb
@@ -11,20 +11,9 @@ module SolidusAdmin::AuthenticationAdapters::Backend
  private
 
  def authenticate_solidus_backend_user!
- if respond_to?(:model_class, true) && model_class
- record = model_class
- else
- record = controller_name.to_sym
- end
- authorize! :admin, record
- authorize! action_name.to_sym, record
- rescue CanCan::AccessDenied
- instance_exec(&Spree::Admin::BaseController.unauthorized_redirect)
- end
+ return if spree_current_user
 
- # Needs to be overriden so that we use Spree's Ability rather than anyone else's.
- def current_ability
- @current_ability ||= Spree::Ability.new(spree_current_user)
+ instance_exec(&Spree::Admin::BaseController.unauthorized_redirect)
  end
 
  def store_location

diff --git a/admin/app/controllers/solidus_admin/base_controller.rb b/admin/app/controllers/solidus_admin/base_controller.rb
@@ -9,6 +9,7 @@ class BaseController < ApplicationController
  include GearedPagination::Controller
 
  include SolidusAdmin::ControllerHelpers::Authentication
+ include SolidusAdmin::ControllerHelpers::Authorization
  include SolidusAdmin::ControllerHelpers::Locale
  include SolidusAdmin::ComponentsHelper
  include SolidusAdmin::AuthenticationAdapters::Backend if defined?(Spree::Backend)

diff --git a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module SolidusAdmin::ControllerHelpers::Authorization
+ extend ActiveSupport::Concern
+
+ included do
+ before_action :authorize_solidus_admin_user!
+ end
+
+ private
+
+ def current_ability
+ @current_ability ||= Spree::Ability.new(current_solidus_admin_user)
+ end
+
+ def authorize_solidus_admin_user!
+ subject = authorization_subject
+
+ authorize! :admin, subject
+ authorize! action_name, subject
+ end
+
+ def authorization_subject
+ "Spree::#{controller_name.classify}".constantize
+ rescue NameError
+ raise NotImplementedError, "Couldn't infer the model class from the controller name, " \
+ "please implement `#{self.class}#authorization_subject`."
+ end
+end