From 9808da44f2a082e0825e7261d0943c89e2fd78e3 Mon Sep 17 00:00:00 2001
From: Edimo Silva <edimossilva@gmail.com>
Date: Sat, 25 May 2024 17:44:08 -0300
Subject: [PATCH 1/2] 190: Only allow admin users to access admin dashboard

---
 .../admin/application_controller.rb           | 23 +++++--
 .../app/policies/admin_dashboard_policy.rb    | 11 ++++
 backend/public/401.html                       | 66 +++++++++++++++++++
 backend/public/403.html                       | 66 +++++++++++++++++++
 backend/public/404.html                       |  5 +-
 5 files changed, 162 insertions(+), 9 deletions(-)
 create mode 100644 backend/app/policies/admin_dashboard_policy.rb
 create mode 100644 backend/public/401.html
 create mode 100644 backend/public/403.html

diff --git a/backend/app/controllers/admin/application_controller.rb b/backend/app/controllers/admin/application_controller.rb
index 534540e..50e2181 100644
--- a/backend/app/controllers/admin/application_controller.rb
+++ b/backend/app/controllers/admin/application_controller.rb
@@ -8,17 +8,28 @@
 # you're free to overwrite the RESTful controller actions.
 module Admin
   class ApplicationController < Administrate::ApplicationController
+    before_action :authenticate_user!
     before_action :authenticate_admin
     before_action :set_paper_trail_whodunnit
 
+    rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
+    include Pundit::Authorization
+    after_action :verify_authorized
+
     def authenticate_admin
-      # TODO: Add authentication logic here.
+      authorize :admin_dashboard, :full_access?
+
+      # authorized = AdminDashboardPolicy.new(current_user, nil).send(:admin_dashboard?)
+      # raise Pundit::NotAuthorizedError unless authorized
     end
+    private
 
-    # Override this value to specify the number of elements to display at a time
-    # on index pages. Defaults to 20.
-    # def records_per_page
-    #   params[:per_page] || 20
-    # end
+    def user_not_authorized(exception)
+      policy_name = exception.policy.class.to_s.underscore
+      flash[:error] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
+      render file: "#{Rails.root}/public/401.html", layout: false, status: 401
+
+    end
   end
 end
diff --git a/backend/app/policies/admin_dashboard_policy.rb b/backend/app/policies/admin_dashboard_policy.rb
new file mode 100644
index 0000000..203b21a
--- /dev/null
+++ b/backend/app/policies/admin_dashboard_policy.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class AdminDashboardPolicy < ApplicationPolicy
+  def initialize(user, _record)
+    @user = user
+  end
+
+  def full_access?
+    user.admin?
+  end
+end
diff --git a/backend/public/401.html b/backend/public/401.html
new file mode 100644
index 0000000..b6a29c3
--- /dev/null
+++ b/backend/public/401.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (401)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  .rails-default-error-page {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  .rails-default-error-page div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  .rails-default-error-page div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  .rails-default-error-page h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  .rails-default-error-page div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body class="rails-default-error-page">
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <div>
+      <h1>You have no permission.</h1>
+    </div>
+    <p>Check if you have the correct roles.</p>
+  </div>
+</body>
+</html>
diff --git a/backend/public/403.html b/backend/public/403.html
new file mode 100644
index 0000000..e2b35f9
--- /dev/null
+++ b/backend/public/403.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Forbidden</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  .rails-default-error-page {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  .rails-default-error-page div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  .rails-default-error-page div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  .rails-default-error-page h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  .rails-default-error-page div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body class="rails-default-error-page">
+  <div class="dialog">
+    <div>
+      <h1>The page you were looking for doesn't exist.</h1>
+      <p>You may have mistyped the address or the page may have moved.</p>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>
diff --git a/backend/public/404.html b/backend/public/404.html
index 2be3af2..9c574ce 100644
--- a/backend/public/404.html
+++ b/backend/public/404.html
@@ -58,10 +58,9 @@
   <!-- This file lives in public/404.html -->
   <div class="dialog">
     <div>
-      <h1>The page you were looking for doesn't exist.</h1>
-      <p>You may have mistyped the address or the page may have moved.</p>
+      <h1>Unauthorized</h1>
+      <p>You need to sign in.</p>
     </div>
-    <p>If you are the application owner check the logs for more information.</p>
   </div>
 </body>
 </html>

From 8af9b82a799e00eb4e76347f83aa569e79313557 Mon Sep 17 00:00:00 2001
From: Edimo Silva <edimossilva@gmail.com>
Date: Sat, 25 May 2024 17:48:08 -0300
Subject: [PATCH 2/2] 190: Fix cops

---
 backend/app/controllers/admin/application_controller.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/app/controllers/admin/application_controller.rb b/backend/app/controllers/admin/application_controller.rb
index 50e2181..bb345ac 100644
--- a/backend/app/controllers/admin/application_controller.rb
+++ b/backend/app/controllers/admin/application_controller.rb
@@ -23,13 +23,13 @@ def authenticate_admin
       # authorized = AdminDashboardPolicy.new(current_user, nil).send(:admin_dashboard?)
       # raise Pundit::NotAuthorizedError unless authorized
     end
+
     private
 
     def user_not_authorized(exception)
       policy_name = exception.policy.class.to_s.underscore
-      flash[:error] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
-      render file: "#{Rails.root}/public/401.html", layout: false, status: 401
-
+      flash.now[:error] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
+      render file: Rails.public_path.join("401.html").to_s, layout: false, status: :unauthorized
     end
   end
 end