check permissions in the jobs controller
currently the jobs controller does not enforce any permission (this is bad, very bad)
- any user can create a job for any webapp (if he knows the webapp id, which is trivial because they are predictible)
- any user can show/update/destroy any job (if he knows the job id, which is trivial because they are predictible)
==>
- job creation should be allowed only if
@webapp.usable_by current_user
(or valid token) - other operations should be allowed only if
@job.user_id == current_user.id
or@job.webapp.administrable_by? current_user
(or valid token) - must not break #19 (closed) (the url sent to the app owner should include the job token so that he can actually view it)
- get inspiration from webapps_controller.rb and the Webapp model (hooks named verify_.... registered with
before_action
) - Job model: add methods usable_by?(user)