fix: Macros authorizations (#5779)

Macros policy update.

ref: #5730

app/controllers/api/v1/accounts/macros_controller.rb

@@ -1,6 +1,6 @@
 class Api::V1::Accounts::MacrosController < Api::V1::Accounts::BaseController
-  before_action :check_authorization
   before_action :fetch_macro, only: [:show, :update, :destroy, :execute]
+  before_action :check_authorization, only: [:show, :update, :destroy, :execute]
 
   def index
     @macros = Macro.with_visibility(current_user, params)
@@ -55,6 +55,8 @@ class Api::V1::Accounts::MacrosController < Api::V1::Accounts::BaseController
     head :ok
   end
 
+  private
+
   def process_attachments
     actions = @macro.actions.filter_map { |k, _v| k if k['action_name'] == 'send_attachment' }
     return if actions.blank?
@@ -80,4 +82,8 @@ class Api::V1::Accounts::MacrosController < Api::V1::Accounts::BaseController
   def fetch_macro
     @macro = Current.account.macros.find_by(id: params[:id])
   end
+
+  def check_authorization
+    authorize(@macro) if @macro.present?
+  end
 end

app/models/macro.rb

@@ -9,23 +9,21 @@
 #  created_at    :datetime         not null
 #  updated_at    :datetime         not null
 #  account_id    :bigint           not null
-#  created_by_id :bigint           not null
-#  updated_by_id :bigint           not null
+#  created_by_id :bigint
+#  updated_by_id :bigint
 #
 # Indexes
 #
-#  index_macros_on_account_id     (account_id)
-#  index_macros_on_created_by_id  (created_by_id)
-#  index_macros_on_updated_by_id  (updated_by_id)
+#  index_macros_on_account_id  (account_id)
 #
 class Macro < ApplicationRecord
   include Rails.application.routes.url_helpers
 
   belongs_to :account
   belongs_to :created_by,
-             class_name: :User
+             class_name: :User, optional: true
   belongs_to :updated_by,
-             class_name: :User
+             class_name: :User, optional: true
   has_many_attached :files
 
   enum visibility: { personal: 0, global: 1 }
@@ -41,10 +39,9 @@ class Macro < ApplicationRecord
   end
 
   def self.with_visibility(user, params)
-    records = user.administrator? ? Current.account.macros : Current.account.macros.global
-    records = records.or(personal.where(created_by_id: user.id)) if user.agent?
-    records.page(current_page(params))
-    records
+    records = Current.account.macros.global
+    records = records.or(personal.where(created_by_id: user.id))
+    records.order(:id).page(current_page(params))
   end
 
   def self.current_page(params)

app/models/user.rb

@@ -92,17 +92,13 @@ class User < ApplicationRecord
   has_many :team_members, dependent: :destroy_async
   has_many :teams, through: :team_members
   has_many :articles, foreign_key: 'author_id', dependent: :nullify
-  has_many :portal_members,
-           class_name: :PortalMember,
-           dependent: :destroy_async
-  has_many :portals,
-           through: :portal_members,
-           class_name: :Portal,
-           dependent: :nullify,
-           source: :portal
-  has_many :macros, foreign_key: 'created_by_id', dependent: :destroy_async
-
+  has_many :portal_members, class_name: :PortalMember, dependent: :destroy_async
+  has_many :portals, through: :portal_members, source: :portal,
+                     class_name: :Portal,
+                     dependent: :nullify
+  has_many :macros, foreign_key: 'created_by_id'
   before_validation :set_password_and_uid, on: :create
+  after_destroy :remove_macros
 
   scope :order_by_full_name, -> { order('lower(name) ASC') }
 
@@ -205,4 +201,10 @@ class User < ApplicationRecord
       count: notifications.where(account_id: account_id).count
     }
   end
+
+  private
+
+  def remove_macros
+    macros.personal.destroy_all
+  end
 end

app/policies/macro_policy.rb

@@ -8,22 +8,34 @@ class MacroPolicy < ApplicationPolicy
   end
 
   def show?
-    true
+    @record.global? || author?
   end
 
   def update?
-    true
+    author? || (@account_user.administrator? && @record.global?)
   end
 
   def destroy?
-    true
+    author? || orphan_record?
   end
 
   def execute?
-    true
+    @record.global? || author?
   end
 
   def attach_file?
     true
   end
+
+  private
+
+  def author?
+    @record.created_by == @account_user.user
+  end
+
+  def orphan_record?
+    return @account_user.administrator? if @record.created_by.nil? && @record.global?
+
+    false
+  end
 end