module Scrivito

class WebserviceController < ActionController::Base
  helper :scrivito

  rescue_from ApplicationError, ClientError, ResourceNotFound do |error|
    @error = error
    @timestamp = Time.zone.now
    render 'scrivito/webservice/error', formats: :json, status: error.http_code
  end

  before_action :verify_authenticity_token_for_every_request
  before_action :authorize

  private

  # similar to Rails' verify_authenticity_token, but also protects GET and HEAD
  def verify_authenticity_token_for_every_request
    # don't check in test environment
    return unless protect_against_forgery?

    unless valid_authenticity_token?(session, request.headers['X-CSRF-Token'])
      raise ActionController::InvalidAuthenticityToken
    end
  end

  def authorize
    render_forbidden unless allow_access?
  end

  def editing_context
    EditingContextMiddleware.from_request(request)
  end

  def scrivito_user
    editing_context.editor
  end

  # If +true+, allow access to ObjsController, else deny access.
  # See {Scrivito::Configuration.editing_auth} for details.
  # @return [Boolean]
  def allow_access?
    scrivito_user.present?
  end

  def can_user_access_workspace?(verb, workspace)
    scrivito_user.can?(verb, workspace)
  end

  def authorize_workspace_access(verb, workspace)
    can_user_access_workspace?(verb, workspace) ? yield : render_forbidden
  end

  def render_forbidden
    render plain: 'Forbidden', status: 403
  end

  def can_user_read_workspace?(workspace)
    can_user_access_workspace?(:read, workspace)
  end

  helper_method :can_user_read_workspace?
end

end