Move Avo-related Pundit policies into Admin:: namespace (#4745)

* Move all policies under Admin:: namespace
* Add basic ApplicationPolicy for userland policies
* Add hack around avo not using authorization_policy everywhere yet (fixed in Avo 3)

app/avo/resources/admin_github_user_resource.rb

@@ -2,6 +2,7 @@ class AdminGitHubUserResource < Avo::BaseResource
   self.title = :login
   self.includes = []
   self.model_class = ::Admin::GitHubUser
+  self.authorization_policy = ::Admin::GitHubUserPolicy
   self.search_query = lambda {
     scope.where("login LIKE ?", "%#{params[:q]}%")
   }

app/components/avo/audited_changes_record_diff/show_component.rb

@@ -64,7 +64,7 @@ def component_for_field(field, resource)
   end
 
   def authorized?
-    Pundit.policy!(user, resource.model).avo_show?
+    Pundit.policy!(user, [:admin, resource.model]).avo_show?
   end
 
   def title_link

app/policies/api_key_policy.rb → app/policies/admin/api_key_policy.rb

@@ -1,5 +1,5 @@
-class ApiKeyPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::ApiKeyPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end
@@ -10,6 +10,6 @@ def resolve
   has_association :oidc_id_token
 
   def avo_show?
-    Pundit.policy!(user, record.owner).avo_show?
+    policy!(user, record.owner).avo_show?
   end
 end

app/policies/admin/api_key_rubygem_scope_policy.rb

@@ -0,0 +1,11 @@
+class Admin::ApiKeyRubygemScopePolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  def avo_show?
+    policy!(user, record.ownership).avo_show?
+  end
+end

app/policies/admin/application_policy.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+class Admin::ApplicationPolicy
+  include Admin::Concerns::PolicyHelpers
+  include SemanticLogger::Loggable
+
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def avo_index?
+    false
+  end
+
+  def avo_show?
+    false
+  end
+
+  def avo_create?
+    false
+  end
+
+  def avo_new?
+    avo_create?
+  end
+
+  def avo_update?
+    false
+  end
+
+  def avo_edit?
+    avo_update?
+  end
+
+  def avo_destroy?
+    false
+  end
+
+  def avo_search?
+    avo_index?
+  end
+
+  def act_on?
+    false
+  end
+
+  def self.has_association(assocation) # rubocop:disable Naming/PredicateName
+    %w[create attach detach destroy edit].each do |action|
+      define_method(:"#{action}_#{assocation}?") { false }
+    end
+    define_method(:"show_#{assocation}?") { policy!(user, record).avo_show? }
+    alias_method :"view_#{assocation}?", :avo_show?
+  end
+
+  class Scope
+    include Admin::Concerns::PolicyHelpers
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      raise NotImplementedError, "You must define #resolve in #{self.class}"
+    end
+
+    private
+
+    attr_reader :user, :scope
+  end
+end

app/policies/audit_policy.rb → app/policies/admin/audit_policy.rb

@@ -1,5 +1,5 @@
-class AuditPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::AuditPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     # NOTE: Be explicit about which records you allow access to!
     def resolve
       if rubygems_org_admin?

app/policies/concerns/admin_user.rb → app/policies/admin/concerns/policy_helpers.rb

@@ -1,4 +1,4 @@
-module AdminUser
+module Admin::Concerns::PolicyHelpers
   extend ActiveSupport::Concern
 
   included do
@@ -13,5 +13,9 @@ def belongs_to_team?(slug)
     def rubygems_org_admin?
       belongs_to_team?("rubygems-org")
     end
+
+    def policy!(user, record)
+      Pundit.policy!(user, [:admin, record])
+    end
   end
 end

app/policies/deletion_policy.rb → app/policies/admin/deletion_policy.rb

@@ -1,5 +1,5 @@
-class DeletionPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::DeletionPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/admin/dependency_policy.rb

@@ -0,0 +1,11 @@
+class Admin::DependencyPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  def avo_show?
+    rubygems_org_admin?
+  end
+end

app/policies/events/rubygem_event_policy.rb → app/policies/admin/events/rubygem_event_policy.rb

@@ -1,5 +1,5 @@
-class Events::RubygemEventPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::Events::RubygemEventPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/events/user_event_policy.rb → app/policies/admin/events/user_event_policy.rb

@@ -1,5 +1,5 @@
-class Events::UserEventPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::Events::UserEventPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/gem_download_policy.rb → app/policies/admin/gem_download_policy.rb

@@ -1,5 +1,5 @@
-class GemDownloadPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::GemDownloadPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     # NOTE: Be explicit about which records you allow access to!
     def resolve
       scope.all

app/policies/gem_name_reservation_policy.rb → app/policies/admin/gem_name_reservation_policy.rb

@@ -1,5 +1,5 @@
-class GemNameReservationPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::GemNameReservationPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/gem_typo_exception_policy.rb → app/policies/admin/gem_typo_exception_policy.rb

@@ -1,5 +1,5 @@
-class GemTypoExceptionPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::GemTypoExceptionPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/geoip_info_policy.rb → app/policies/admin/geoip_info_policy.rb

@@ -1,5 +1,5 @@
-class GeoipInfoPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::GeoipInfoPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/admin/github_user_policy.rb

@@ -1,5 +1,5 @@
-class Admin::GitHubUserPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::GitHubUserPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     # NOTE: Be explicit about which records you allow access to!
     def resolve
       if rubygems_org_admin?

app/policies/ip_address_policy.rb → app/policies/admin/ip_address_policy.rb

@@ -1,5 +1,5 @@
-class IpAddressPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::IpAddressPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/link_verification_policy.rb → app/policies/admin/link_verification_policy.rb

@@ -1,5 +1,5 @@
-class LinkVerificationPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::LinkVerificationPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/admin/linkset_policy.rb

@@ -0,0 +1,15 @@
+class Admin::LinksetPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  def avo_index?
+    policy!(user, Rubygem).avo_index?
+  end
+
+  def avo_show?
+    policy!(user, record.rubygem).avo_show?
+  end
+end

app/policies/log_ticket_policy.rb → app/policies/admin/log_ticket_policy.rb

@@ -1,5 +1,5 @@
-class LogTicketPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::LogTicketPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/maintenance_tasks/run_policy.rb → app/policies/admin/maintenance_tasks/run_policy.rb

@@ -1,5 +1,5 @@
-class MaintenanceTasks::RunPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::MaintenanceTasks::RunPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/oidc/api_key_role_policy.rb → app/policies/admin/oidc/api_key_role_policy.rb

@@ -1,5 +1,5 @@
-class OIDC::ApiKeyRolePolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::OIDC::ApiKeyRolePolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/oidc/id_token_policy.rb → app/policies/admin/oidc/id_token_policy.rb

@@ -1,5 +1,5 @@
-class OIDC::IdTokenPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::OIDC::IdTokenPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/oidc/pending_trusted_publisher_policy.rb → app/policies/admin/oidc/pending_trusted_publisher_policy.rb

@@ -1,5 +1,5 @@
-class OIDC::PendingTrustedPublisherPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::OIDC::PendingTrustedPublisherPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/oidc/provider_policy.rb → app/policies/admin/oidc/provider_policy.rb

@@ -1,5 +1,5 @@
-class OIDC::ProviderPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::OIDC::ProviderPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/oidc/rubygem_trusted_publisher_policy.rb → app/policies/admin/oidc/rubygem_trusted_publisher_policy.rb

@@ -1,5 +1,5 @@
-class OIDC::RubygemTrustedPublisherPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::OIDC::RubygemTrustedPublisherPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/oidc/trusted_publisher/github_action_policy.rb → app/policies/admin/oidc/trusted_publisher/github_action_policy.rb

@@ -1,5 +1,5 @@
-class OIDC::TrustedPublisher::GitHubActionPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::OIDC::TrustedPublisher::GitHubActionPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/ownership_policy.rb → app/policies/admin/ownership_policy.rb

@@ -1,5 +1,5 @@
-class OwnershipPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::OwnershipPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/rubygem_policy.rb → app/policies/admin/rubygem_policy.rb

@@ -1,5 +1,5 @@
-class RubygemPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::RubygemPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       if rubygems_org_admin?
         scope.all

app/policies/sendgrid_event_policy.rb → app/policies/admin/sendgrid_event_policy.rb

@@ -1,5 +1,5 @@
-class SendgridEventPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::SendgridEventPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/user_policy.rb → app/policies/admin/user_policy.rb

@@ -1,5 +1,5 @@
-class UserPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::UserPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     # NOTE: Be explicit about which records you allow access to!
     def resolve
       scope.all

app/policies/version_policy.rb → app/policies/admin/version_policy.rb

@@ -1,5 +1,5 @@
-class VersionPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::VersionPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       if rubygems_org_admin?
         scope.all

app/policies/web_hook_policy.rb → app/policies/admin/web_hook_policy.rb

@@ -1,5 +1,5 @@
-class WebHookPolicy < ApplicationPolicy
-  class Scope < Scope
+class Admin::WebHookPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
     def resolve
       scope.all
     end

app/policies/admin/webauthn_credential_policy.rb

@@ -0,0 +1,13 @@
+class Admin::WebauthnCredentialPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  has_association :user
+
+  def avo_show?
+    policy!(user, record.user).avo_show?
+  end
+end

app/policies/admin/webauthn_verification_policy.rb

@@ -0,0 +1,13 @@
+class Admin::WebauthnVerificationPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  has_association :user
+
+  def avo_show?
+    policy!(user, record.user).avo_show?
+  end
+end