Skip to content

Complete ActionPolicy implementation for Resource model #717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: action-policy
Choose a base branch
from
Draft

Complete ActionPolicy implementation for Resource model #717

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 19, 2026
edited
Loading

What is the goal of this PR and why is this important?

ActionPolicy gem was added but incompletely applied to the Resource model. Missing authorization checks on controller actions and incomplete policy rules created potential security gaps.

How did you approach the change?

Controller Authorization

  • Added authorize! to new and search actions (previously missing)
  • All 9 ResourcesController actions now properly authorize

Policy Rules

  • Added create?, search?, stories? rules
  • Aliased related actions: create?/search? → new?, stories? → index?
  • Rules enforce: public (index, stories, download), admin-only (new, create, search, filter_published), owner-or-admin (update, edit, destroy), conditional (show: admins or published resources)
  • Relation scope filters resources by user role (admins see all, users see published)

Draper Integration

  • ActionPolicy::Draper module in lib/action_policy/draper.rb unwraps decorators before policy checks
  • Prepended in ApplicationController

Testing

  • 152 test cases covering all policy rules and scopes
  • Tests verify admin, owner, regular user permissions
  • ActionPolicy RSpec DSL configured in spec/support/action_policy.rb

Anything else to add?

Views already use allowed_to? helper correctly. ApplicationController has proper error handling via rescue_from ActionPolicy::Unauthorized.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Jan 19, 2026
Open
@maebeale
Complete ActionPolicy implementation for Resource
ac9ae45 
- Add authorization checks to all controller actions (new, search)
- Add missing policy rules (create?, search?, stories?)
- Write comprehensive policy tests covering all rules and scopes
- Add ActionPolicy RSpec support
- Verify Draper decorator integration is working

Co-authored-by: maebeale <7607813+maebeale@users.noreply.github.com>
Copilot AI changed the title [WIP] Add ActionPolicy gem and apply it to resources Complete ActionPolicy implementation for Resource model Jan 19, 2026
Copilot AI requested a review from maebeale January 19, 2026 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maebeale maebeale Awaiting requested review from maebeale

Assignees

@maebeale maebeale

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maebeale