Mise en place de pundit pour le super_admin et ajout du role support (#…

…3918)

* initial pundit for administrate and policies for super_admin
* remove unused files and sign_in_as user method
* change for #3788
* Update SuperAdmin role and Pundit configuration
* Update policies for support and super_admin behavior
* use administrate custom behavior for redirect after destroy
* fix links for delete agent and good_job, avoid privilége escalation
* add rule for anonymizer
* refacto shared_policy_example
* policies spec for super_admin
* apply Victors suggestion : rename super_admin role in legacy_admin and minor policy changes

.rubocop.yml

@@ -110,6 +110,7 @@ Rails/LexicallyScopedActionFilter:
     - 'app/controllers/user_auth_controller.rb'
     - 'app/controllers/agents/sessions_controller.rb'
     - 'app/controllers/agent_auth_controller.rb'
+    - 'app/controllers/super_admins/super_admins_controller.rb'
 
 Rails/ActiveRecordCallbacksOrder:
   Enabled: false

Gemfile.lock

@@ -76,7 +76,7 @@ GEM
       tzinfo (~> 2.0)
     addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
-    administrate (0.18.0)
+    administrate (0.19.0)
       actionpack (>= 5.0)
       actionview (>= 5.0)
       activerecord (>= 5.0)
@@ -202,7 +202,7 @@ GEM
     faraday-follow_redirects (0.3.0)
       faraday (>= 1, < 3)
     faraday-net_http (3.0.2)
-    ffi (1.15.5)
+    ffi (1.16.3)
     fugit (1.8.1)
       et-orbi (~> 1, >= 1.2.7)
       raabro (~> 1.4)
@@ -233,7 +233,7 @@ GEM
     jbuilder (2.11.5)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
-    jquery-rails (4.5.1)
+    jquery-rails (4.6.0)
       rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
@@ -278,7 +278,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.21.4)
+    loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
@@ -436,7 +436,7 @@ GEM
       thor (~> 1.0)
       zeitwerk (~> 2.5)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.1.0)
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
@@ -550,9 +550,9 @@ GEM
     spring (4.1.3)
     spring-commands-rspec (1.0.4)
       spring (>= 0.9.1)
-    sprockets (4.1.1)
+    sprockets (4.2.1)
       concurrent-ruby (~> 1.0)
-      rack (> 1, < 3)
+      rack (>= 2.2.4, < 4)
     sprockets-rails (3.4.2)
       actionpack (>= 5.2)
       activesupport (>= 5.2)
@@ -564,7 +564,7 @@ GEM
       attr_required (>= 0.0.5)
       httpclient (>= 2.4)
     temple (0.8.2)
-    thor (1.2.2)
+    thor (1.3.0)
     thread_safe (0.3.6)
     tilt (2.0.11)
     timeout (0.3.2)

app/controllers/omniauth_callbacks_controller.rb

@@ -17,7 +17,7 @@ def github
     # Automatically create the first SuperAdmin in development
     if Rails.env.development? && SuperAdmin.none?
       first_name, last_name = request.env["omniauth.auth"]["info"]["name"].split
-      SuperAdmin.create!(email: email, first_name: first_name, last_name: last_name)
+      SuperAdmin.create!(email: email, first_name: first_name, last_name: last_name, role: :legacy_admin)
     end
 
     super_admin = SuperAdmin.find_by(email: email)

app/controllers/super_admins/agent_roles_controller.rb

@@ -1,13 +1,7 @@
 module SuperAdmins
   class AgentRolesController < SuperAdmins::ApplicationController
-    def destroy
-      if requested_resource.destroy
-        flash[:notice] = translate_with_resource("destroy.success")
-      else
-        flash[:error] = requested_resource.errors.full_messages.join("<br/>")
-      end
-
-      redirect_to(after_resource_created_path(requested_resource.agent), notice: flash[:notice])
+    def after_resource_destroyed_path(requested_resource)
+      [namespace, requested_resource.agent]
     end
   end
 end

app/controllers/super_admins/agent_services_controller.rb

@@ -0,0 +1,7 @@
+module SuperAdmins
+  class AgentServicesController < SuperAdmins::ApplicationController
+    def after_resource_destroyed_path(requested_resource)
+      [namespace, requested_resource.agent]
+    end
+  end
+end

app/controllers/super_admins/agents_controller.rb

@@ -1,6 +1,7 @@
 module SuperAdmins
   class AgentsController < SuperAdmins::ApplicationController
     def sign_in_as
+      authorize :agent, :sign_in_as?, policy_class: SuperAdmin::AgentPolicy
       agent = Agent.find(params[:id])
       if sign_in_as_allowed?
         sign_out(:user)
@@ -44,6 +45,7 @@ def update
     end
 
     def invite
+      authorize :agent, :invite?, policy_class: SuperAdmin::AgentPolicy
       requested_resource.invited_by = current_super_admin
       requested_resource.invite!(nil, validate: false)
       redirect_to(

app/controllers/super_admins/application_controller.rb

@@ -7,6 +7,8 @@
 module SuperAdmins
   class ApplicationController < Administrate::ApplicationController
     include DomainDetection
+    include Administrate::Punditize
+    rescue_from Pundit::NotAuthorizedError, with: :super_admin_not_authorized
 
     helper all_helpers_from_path "app/helpers"
 
@@ -18,11 +20,28 @@ class ApplicationController < Administrate::ApplicationController
     end
     before_action :set_paper_trail_whodunnit
     before_action :set_sentry_context
+    after_action :verify_authorized
 
     helper_method :sign_in_as_allowed?
 
+    # Pundit configuration for Administrate
+    def policy_namespace
+      [:super_admin]
+    end
+
+    def pundit_user
+      current_super_admin
+    end
+    # End Pundit configuration for Administrate
+
     private
 
+    def super_admin_not_authorized(exception)
+      policy_name = exception.policy.class.to_s.underscore
+      flash[:error] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
+      redirect_to(request.referer || super_admins_root_path)
+    end
+
     def user_for_paper_trail
       return "Local SuperAdmin" if current_super_admin.nil?
 

app/controllers/super_admins/migrations_controller.rb

@@ -1,10 +1,12 @@
 module SuperAdmins
-  class MigrationsController < ApplicationController
+  class MigrationsController < SuperAdmins::ApplicationController
     def new
+      authorize :migration, :new?, policy_class: SuperAdmin::MigrationPolicy
       @agent = Agent.find(params[:agent_id])
     end
 
     def create
+      authorize :migration, :create?, policy_class: SuperAdmin::MigrationPolicy
       agent = Agent.find(params[:agent_id])
 
       new_organisation = Organisation.find(params[:new_organisation_id])

app/controllers/super_admins/motifs_controller.rb

@@ -1,21 +1,4 @@
 module SuperAdmins
   class MotifsController < SuperAdmins::ApplicationController
-    # To customize the behavior of this controller,
-    # you can overwrite any of the RESTful actions. For example:
-    #
-    # def index
-    #   super
-    #   @resources = Agent.
-    #     page(params[:page]).
-    #     per(10)
-    # end
-
-    # Define a custom finder by overriding the `find_resource` method:
-    # def find_resource(param)
-    #   Agent.find_by!(slug: param)
-    # end
-
-    # See https://administrate-prototype.herokuapp.com/customizing_controller_actions
-    # for more information
   end
 end

app/controllers/super_admins/super_admins_controller.rb

@@ -1,21 +1,20 @@
 module SuperAdmins
   class SuperAdminsController < SuperAdmins::ApplicationController
-    # To customize the behavior of this controller,
-    # you can overwrite any of the RESTful actions. For example:
-    #
-    # def index
-    #   super
-    #   @resources = SuperAdmin.
-    #     page(params[:page]).
-    #     per(10)
-    # end
+    before_action :check_privilege_escalation, only: %i[update]
 
-    # Define a custom finder by overriding the `find_resource` method:
-    # def find_resource(param)
-    #   SuperAdmin.find_by!(slug: param)
-    # end
+    def check_privilege_escalation
+      return not_authorized_to_update if privilege_escalation?
+    end
 
-    # See https://administrate-prototype.herokuapp.com/customizing_controller_actions
-    # for more information
+    private
+
+    def not_authorized_to_update
+      flash[:error] = "Vous n'êtes pas autorisé à modifier le role de super_admin"
+      redirect_to(request.referer)
+    end
+
+    def privilege_escalation?
+      current_super_admin.support_member? && resource_params[:role] == "super_admin"
+    end
   end
 end

app/controllers/super_admins/user_profiles_controller.rb

@@ -0,0 +1,7 @@
+module SuperAdmins
+  class UserProfilesController < SuperAdmins::ApplicationController
+    def after_resource_destroyed_path(requested_resource)
+      [namespace, requested_resource.user]
+    end
+  end
+end

app/controllers/super_admins/users_controller.rb

@@ -1,15 +1,4 @@
 module SuperAdmins
   class UsersController < SuperAdmins::ApplicationController
-    def sign_in_as
-      user = User.find(params[:id])
-      if sign_in_as_allowed?
-        sign_out(:agent)
-        sign_in(:user, user, bypass: true)
-        redirect_to root_url
-      else
-        flash[:error] = "Fonctionnalité désactivée sur cet environnement."
-        redirect_to super_admins_user_path(user)
-      end
-    end
   end
 end

app/dashboards/agent_dashboard.rb

@@ -17,6 +17,7 @@ class AgentDashboard < Administrate::BaseDashboard
     territories: Field::HasMany,
     territorial_roles: Field::HasMany,
     services: Field::HasMany,
+    agent_services: Field::HasMany,
     invitation_sent_at: Field::DateTime,
     deleted_at: Field::DateTime,
     created_at: Field::DateTime,
@@ -42,10 +43,9 @@ class AgentDashboard < Administrate::BaseDashboard
     email
     first_name
     last_name
-    organisations
     roles
+    agent_services
     territorial_roles
-    services
     invitation_sent_at
     created_at
     deleted_at

app/dashboards/agent_role_dashboard.rb

@@ -23,6 +23,7 @@ class AgentRoleDashboard < Administrate::BaseDashboard
   # Feel free to add, remove, or rearrange items.
   COLLECTION_ATTRIBUTES = %i[
     access_level
+    agent
     organisation
   ].freeze