add authorization checks

1 month ago · e52830c9b4
parent 755decca27
commit e52830c9b4
7 changed files with 14 additions and 0 deletions
--- a/app/controllers/submissions_resend_email_controller.rb
+++ b/app/controllers/submissions_resend_email_controller.rb
@ -5,6 +5,7 @@ class SubmissionsResendEmailController < ApplicationController

  before_action do
    authorize!(:manage, :resend_all)
+    authorize!(:update, @submission)
  end

  def create
--- a/app/controllers/submissions_unarchive_controller.rb
+++ b/app/controllers/submissions_unarchive_controller.rb
@ -4,6 +4,8 @@ class SubmissionsUnarchiveController < ApplicationController
  load_and_authorize_resource :submission

  def create
+    authorize!(:update, @submission)
+
    @submission.update!(archived_at: nil)

    redirect_to submission_path(@submission), notice: I18n.t('submission_has_been_unarchived')
--- a/app/controllers/submitters_send_email_controller.rb
+++ b/app/controllers/submitters_send_email_controller.rb
@ -4,6 +4,8 @@ class SubmittersSendEmailController < ApplicationController
  load_and_authorize_resource :submitter

  def create
+    authorize!(:update, @submitter)
+
    if Docuseal.multitenant? && SubmissionEvent.exists?(submitter: @submitter,
                                                        event_type: 'send_email',
                                                        created_at: 10.hours.ago..Time.current)
--- a/app/controllers/template_documents_controller.rb
+++ b/app/controllers/template_documents_controller.rb
@ -10,6 +10,8 @@ class TemplateDocumentsController < ApplicationController
  end

  def create
+    authorize!(:update, @template)
+
    if params[:blobs].blank? && params[:files].blank?
      return render json: { error: I18n.t('file_is_missing') }, status: :unprocessable_content
    end
--- a/app/controllers/templates_clone_and_replace_controller.rb
+++ b/app/controllers/templates_clone_and_replace_controller.rb
@ -13,6 +13,9 @@ class TemplatesCloneAndReplaceController < ApplicationController

    cloned_template = Templates::Clone.call(@template, author: current_user)
    cloned_template.name = File.basename(params[:files].first.original_filename, '.*')
+
+    authorize!(:create, cloned_template)
+
    cloned_template.save!

    documents = Templates::ReplaceAttachments.call(cloned_template, params, extract_fields: true)
--- a/app/controllers/templates_folders_controller.rb
+++ b/app/controllers/templates_folders_controller.rb
@ -6,6 +6,8 @@ class TemplatesFoldersController < ApplicationController
  def edit; end

  def update
+    authorize!(:update, @template)
+
    name = [params[:parent_name], params[:name]].compact_blank.join(' / ')

    @template.folder = TemplateFolders.find_or_create_by_name(current_user, name)
--- a/app/controllers/templates_restore_controller.rb
+++ b/app/controllers/templates_restore_controller.rb
@ -4,6 +4,8 @@ class TemplatesRestoreController < ApplicationController
  load_and_authorize_resource :template

  def create
+    authorize!(:update, @template)
+
    @template.update!(archived_at: nil)

    WebhookUrls.enqueue_events(@template, 'template.updated')