feat: Add Pundit authorization policies

- Add ApplicationPolicy base class - Add GamePolicy (owner or admin can access) - Add MissionPolicy (published visible to all) - Implement Scope for filtering records - Support admin and account_manager roles
2026-02-22 11:48:18 +00:00 · 2025-11-21 15:27:54 +00:00
parent f6c9ceb5e8
commit c127ba6f03
3 changed files with 121 additions and 0 deletions
--- a/app/policies/break_escape/application_policy.rb
+++ b/app/policies/break_escape/application_policy.rb
@@ -0,0 +1,53 @@
+module BreakEscape
+  class ApplicationPolicy
+    attr_reader :user, :record
+
+    def initialize(user, record)
+      @user = user
+      @record = record
+    end
+
+    def index?
+      false
+    end
+
+    def show?
+      false
+    end
+
+    def create?
+      false
+    end
+
+    def new?
+      create?
+    end
+
+    def update?
+      false
+    end
+
+    def edit?
+      update?
+    end
+
+    def destroy?
+      false
+    end
+
+    class Scope
+      def initialize(user, scope)
+        @user = user
+        @scope = scope
+      end
+
+      def resolve
+        raise NotImplementedError
+      end
+
+      private
+
+      attr_reader :user, :scope
+    end
+  end
+end
--- a/app/policies/break_escape/game_policy.rb
+++ b/app/policies/break_escape/game_policy.rb
@@ -0,0 +1,46 @@
+module BreakEscape
+  class GamePolicy < ApplicationPolicy
+    def show?
+      # Owner or admin/account_manager
+      record.player == user || user&.admin? || user&.account_manager?
+    end
+
+    def update?
+      show?
+    end
+
+    def scenario?
+      show?
+    end
+
+    def ink?
+      show?
+    end
+
+    def bootstrap?
+      show?
+    end
+
+    def sync_state?
+      show?
+    end
+
+    def unlock?
+      show?
+    end
+
+    def inventory?
+      show?
+    end
+
+    class Scope < Scope
+      def resolve
+        if user&.admin? || user&.account_manager?
+          scope.all
+        else
+          scope.where(player: user)
+        end
+      end
+    end
+  end
+end
--- a/app/policies/break_escape/mission_policy.rb
+++ b/app/policies/break_escape/mission_policy.rb
@@ -0,0 +1,22 @@
+module BreakEscape
+  class MissionPolicy < ApplicationPolicy
+    def index?
+      true  # Everyone can see mission list
+    end
+
+    def show?
+      # Published missions or admin
+      record.published? || user&.admin? || user&.account_manager?
+    end
+
+    class Scope < Scope
+      def resolve
+        if user&.admin? || user&.account_manager?
+          scope.all
+        else
+          scope.published
+        end
+      end
+    end
+  end
+end