From 97b08100f155d2c04d8d328c44eb1356443e522d Mon Sep 17 00:00:00 2001
From: Alex Kotov <kotovalexarian@gmail.com>
Date: Thu, 6 Dec 2018 04:20:50 +0500
Subject: [PATCH] Improve guest account security

---
 app/controllers/application_controller.rb            | 12 ++++++++----
 .../membership_applications_controller.rb            |  2 +-
 app/policies/application_policy.rb                   |  5 +++--
 app/policies/membership_application_policy.rb        |  2 +-
 4 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 68f4679..08b04a3 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -18,14 +18,18 @@ class ApplicationController < ActionController::Base
 private
 
   def current_account
-    @current_account ||=
-      current_user&.account ||
-      Account.guests.find_by(id: session[:guest_account_id])
+    @current_account ||= current_user&.account
+  end
+
+  def guest_account
+    @guest_account ||= current_account
+    @guest_account ||= Account.guests.find_by(id: session[:guest_account_id])
   end
 
   def pundit_user
     @pundit_user ||= ApplicationPolicy::Context.new(
-      account: current_account,
+      account:       current_account,
+      guest_account: guest_account,
     )
   end
 
diff --git a/app/controllers/membership_applications_controller.rb b/app/controllers/membership_applications_controller.rb
index f6e8fd2..5ad479e 100644
--- a/app/controllers/membership_applications_controller.rb
+++ b/app/controllers/membership_applications_controller.rb
@@ -20,7 +20,7 @@ class MembershipApplicationsController < ApplicationController
     @membership_application =
       MembershipApplication.new permitted_attributes MembershipApplication
 
-    @membership_application.account = current_account || Account.new
+    @membership_application.account = guest_account || Account.new
 
     authorize @membership_application
 
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index 6b5eb8e..f2c98fe 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -62,10 +62,11 @@ class ApplicationPolicy
   end
 
   class Context
-    attr_reader :account
+    attr_reader :account, :guest_account
 
-    def initialize(account:)
+    def initialize(account:, guest_account:)
       @account = account
+      @guest_account = guest_account
     end
   end
 end
diff --git a/app/policies/membership_application_policy.rb b/app/policies/membership_application_policy.rb
index bcdc813..5ef1422 100644
--- a/app/policies/membership_application_policy.rb
+++ b/app/policies/membership_application_policy.rb
@@ -2,7 +2,7 @@
 
 class MembershipApplicationPolicy < ApplicationPolicy
   def show?
-    record.account == context.account
+    record.account.in? [context.account, context.guest_account]
   end
 
   def create?