fixes for authorize after security breach Dec 2022

app/controllers/contributors_controller.rb

@@ -30,7 +30,8 @@ def edit
   # rubocop:disable Metrics/AbcSize
   # POST /plans/:plan_id/contributors
   def create
-    authorize @plan
+    # to create a contributor you need to be able to edit the plan
+    authorize @plan, :edit?
 
     args = translate_roles(hash: contributor_params)
     args = process_org(hash: args)

app/controllers/notes_controller.rb

@@ -13,10 +13,6 @@ def create
     @note = Note.new
     # take user id from current user rather than form as form can be spoofed
     @note.user_id = current_user.id
-    # ensure user has access to plan BEFORE creating/finding answer
-    unless Plan.find_by(id: note_params[:plan_id]).readable_by?(@note.user_id)
-      raise Pundit::NotAuthorizedError
-    end
 
     Answer.transaction do
       @answer = Answer.find_by(

app/controllers/org_admin/phase_versions_controller.rb

@@ -7,7 +7,7 @@ class OrgAdmin::PhaseVersionsController < ApplicationController
   # POST /org_admin/templates/:template_id/phases/:phase_id/versions
   def create
     @phase = Phase.find(params[:phase_id])
-    authorize @phase, :create?
+    authorize @phase
     @new_phase = get_modifiable(@phase)
     flash[:notice] = if @new_phase == @phase
                        "This template is already a draft"

app/controllers/paginable/plans_controller.rb

@@ -6,9 +6,7 @@ class Paginable::PlansController < ApplicationController
 
   # /paginable/plans/privately_visible/:page
   def privately_visible
-    unless Paginable::PlanPolicy.new(current_user).privately_visible?
-      raise Pundit::NotAuthorizedError
-    end
+    authorize Plan
 
     paginable_renderise(
       partial: "privately_visible",
@@ -20,9 +18,7 @@ def privately_visible
 
   # GET /paginable/plans/organisationally_or_publicly_visible/:page
   def organisationally_or_publicly_visible
-    unless Paginable::PlanPolicy.new(current_user).organisationally_or_publicly_visible?
-      raise Pundit::NotAuthorizedError
-    end
+    authorize Plan
 
     paginable_renderise(
       partial: "organisationally_or_publicly_visible",

app/policies/department_policy.rb

@@ -12,6 +12,11 @@ def initialize(user, department)
     @department = department
   end
 
+  def index?
+    (@user.can_org_admin? && @user.org.id == @department.org_id) ||
+      @user.can_super_admin?
+  end
+
   def new?
     @user.can_org_admin? || @user.can_super_admin?
   end

app/policies/phase_policy.rb

@@ -25,6 +25,10 @@ def preview?
     user.can_modify_templates?  &&  (phase.template.org_id == user.org_id)
   end
 
+  def edit?
+    user.can_modify_templates?  &&  (phase.template.org_id == user.org_id)
+  end
+
   def update?
     user.can_modify_templates?  &&  (phase.template.org_id == user.org_id)
   end

app/policies/plan_policy.rb

@@ -16,6 +16,10 @@ def initialize(user, plan)
     @plan = plan
   end
 
+  def index?
+    @user.present?
+  end
+
   def show?
     @plan.readable_by?(@user.id)
   end
@@ -82,4 +86,12 @@ def update_guidances_list?
     @plan.editable_by?(@user.id)
   end
 
+  def privately_visible?
+    @user.present?
+  end
+
+  def organisationally_or_publicly_visible?
+    @user.present?
+  end
+
 end

app/policies/section_policy.rb

@@ -18,11 +18,11 @@ def initialize(user, section)
   ##
 
   def index?
-    user.present?
+    @user.present?
   end
 
   def show?
-    user.present?
+    @user.present?
   end
 
   def edit?