Merge pull request #289 from tosdr/sec/access-modification

[sec] adding  a test for curator status

Author: Christopher Talib

app/controllers/points_controller.rb

@@ -1,5 +1,6 @@
 class PointsController < ApplicationController
   before_action :authenticate_user!, except: [:index, :show]
+  before_action :set_curator, except: [:index, :show]
   before_action :set_point, only: [:show, :edit, :featured, :update, :destroy]
   before_action :points_get, only: [:index]
 
@@ -100,4 +101,10 @@ def points_get
       @points = Point.all.where(status: "pending")
     end
   end
+
+  def set_curator
+    unless current_user.curator?
+      render :file => "public/401.html", :status => :unauthorized
+    end
+  end
 end

app/controllers/reasons_controller.rb

@@ -1,5 +1,6 @@
 class ReasonsController < ApplicationController
   before_action :authenticate_user!, except: [:index, :show]
+  before_action :set_curator, except: [:index, :show]
   before_action :set_point, only: [:new, :create]
   before_action :set_admin
   def new
@@ -38,7 +39,14 @@ def set_point
   def reason_params
     params.require(:reason).permit(:content)
   end
+
   def point_params
     params.require(:point).permit(:status)
   end
+
+  def set_curator
+    unless current_user.curator?
+      render :file => "public/401.html", :status => :unauthorized
+    end
+  end
 end

app/controllers/services_controller.rb

@@ -1,5 +1,6 @@
 class ServicesController < ApplicationController
   before_action :authenticate_user!, except: [:index, :show]
+  before_action :set_curator, except: [:index, :show]
   before_action :set_service, only: [:show, :edit, :update, :destroy]
 
   def index
@@ -74,4 +75,9 @@ def service_params
     params.require(:service).permit(:name, :url, :query)
   end
 
+  def set_curator
+    unless current_user.curator?
+      render :file => "public/401.html", :status => :unauthorized
+    end
+  end
 end

app/controllers/topics_controller.rb

@@ -1,5 +1,6 @@
 class TopicsController < ApplicationController
   before_action :authenticate_user!, except: [:index, :show]
+  before_action :set_curator, except: [:index, :show]
   before_action :set_topic, only: [:show, :edit, :update, :destroy]
 
   def index
@@ -61,4 +62,9 @@ def topic_params
     params.require(:topic).permit(:title, :subtitle, :description, :query, :privacy_related)
   end
 
+  def set_curator
+    unless current_user.curator?
+      render :file => "public/401.html", :status => :unauthorized
+    end
+  end
 end

public/401.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body style="background-color: #FdFdFd;color: #F89300;text-align: center;">
+<!-- This file lives in public/401.html -->
+<h1>Uh-Oh!</h1>
+<h2>You are not authorized to do this!</h2>
+<div class="back-home" style="margin-top: 50px;margin-bottom: 10px;">
+<a href="/" class="btn" style="margin-top: 30px;background-color: #49A347;border-radius: 50px;color: white;font-weight: bold;padding: 10px 20px;">
+Back Home</a>
+</div>
+<p>
+  <a href="https://github.com/tosdr/phoenix/issues/" style="margin: 0;text-decoration: none;color: grey;">Open an issue on Github</a>
+</p>
+<p>
+  <a href="mailto:[email protected]" style="margin: 0;text-decoration: none;color: grey;">Contact us</a>
+</p>
+</body>
+</html>