From a5366fc2b1582ba817dd7c0533a334fc2f15adb1 Mon Sep 17 00:00:00 2001
From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com>
Date: Sun, 29 Oct 2023 00:26:56 +0000
Subject: [PATCH 1/8] limit routes, conditional views, before action
---
.rake_tasks~ | 74 ++++++++++++++++++++++++++
app/controllers/comments_controller.rb | 8 +++
app/controllers/photos_controller.rb | 7 +++
app/models/comment.rb | 1 +
app/views/photos/_photo.html.erb | 2 +
app/views/users/show.html.erb | 3 ++
config/routes.rb | 10 ++--
7 files changed, 99 insertions(+), 6 deletions(-)
create mode 100644 .rake_tasks~
diff --git a/.rake_tasks~ b/.rake_tasks~
new file mode 100644
index 00000000..4ee8ecb1
--- /dev/null
+++ b/.rake_tasks~
@@ -0,0 +1,74 @@
+about
+action_mailbox:ingress:exim
+action_mailbox:ingress:postfix
+action_mailbox:ingress:qmail
+action_mailbox:install
+action_mailbox:install:migrations
+action_text:install
+action_text:install:migrations
+active_storage:install
+annotate_models
+annotate_routes
+app:template
+app:update
+assets:clean[keep]
+assets:clobber
+assets:environment
+assets:precompile
+cache_digests:dependencies
+cache_digests:nested_dependencies
+db:create
+db:drop
+db:encryption:init
+db:environment:set
+db:fixtures:load
+db:migrate
+db:migrate:down
+db:migrate:redo
+db:migrate:status
+db:migrate:up
+db:prepare
+db:reset
+db:rollback
+db:schema:cache:clear
+db:schema:cache:dump
+db:schema:dump
+db:schema:load
+db:seed
+db:seed:replant
+db:setup
+db:version
+erd
+grade
+grade:all
+grade:next
+grade:reset_token
+grade_runner:runner
+importmap:install
+log:clear
+middleware
+remove_annotation
+remove_routes
+restart
+sample_data
+secret
+spec
+spec:features
+specs:readme
+stats
+stimulus:install
+stimulus:install:importmap
+stimulus:install:node
+test
+test:all
+test:db
+test:system
+time:zones[country_or_offset]
+tmp:clear
+tmp:create
+turbo:install
+turbo:install:importmap
+turbo:install:node
+turbo:install:redis
+yarn:install
+zeitwerk:check
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 046a8e5d..ebe41025 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,5 +1,6 @@
class CommentsController < ApplicationController
before_action :set_comment, only: %i[ show edit update destroy ]
+ before_action :is_an_authorized_user, only: [:destroy, :create]
# GET /comments or /comments.json
def index
@@ -63,6 +64,13 @@ def set_comment
@comment = Comment.find(params[:id])
end
+ def is_an_authorized_user
+ @photo = Photo.find(params.fetch(:comment).fetch(:photo_id))
+ if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner)
+ redirect_back fallback_location: root_url, alert: "Not authorized"
+ end
+ end
+
# Only allow a list of trusted parameters through.
def comment_params
params.require(:comment).permit(:author_id, :photo_id, :body)
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 78e53163..b8fe34db 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -1,5 +1,6 @@
class PhotosController < ApplicationController
before_action :set_photo, only: %i[ show edit update destroy ]
+ before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit]
# GET /photos or /photos.json
def index
@@ -63,6 +64,12 @@ def set_photo
@photo = Photo.find(params[:id])
end
+ def ensure_current_user_is_owner
+ if current_user != @photo.owner
+ redirect_back fallback_location: root_url, alert: "You're not authorized for that."
+ end
+ end
+
# Only allow a list of trusted parameters through.
def photo_params
params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
diff --git a/app/models/comment.rb b/app/models/comment.rb
index 14a8eb00..0761b0e8 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -22,6 +22,7 @@
class Comment < ApplicationRecord
belongs_to :author, class_name: "User", counter_cache: true
belongs_to :photo, counter_cache: true
+ has_one :owner, through: :photo
validates :body, presence: true
end
diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb
index f0de50b8..4fcc00d3 100644
--- a/app/views/photos/_photo.html.erb
+++ b/app/views/photos/_photo.html.erb
@@ -7,6 +7,7 @@
+ <% if current_user == photo.owner %>
<%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %>
<% end %>
@@ -14,6 +15,7 @@
<%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %>
<% end %>
+ <% end %>
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
index 5656d7d5..7ee035f6 100644
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@@ -4,6 +4,8 @@
+<% if current_user == @user || !@user.private? || current_user.leaders.include?(@user) %>
+
<%= render "users/profile_nav", user: @user %>
@@ -17,3 +19,4 @@
<% end %>
+<% end %>
diff --git a/config/routes.rb b/config/routes.rb
index 47050a54..c673b13e 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -4,14 +4,12 @@
devise_for :users
resources :comments
- resources :follow_requests
- resources :likes
- resources :photos
+ resources :follow_requests, except: [:index, :show, :new, :edit]
+ resources :likes, only: [:create, :destroy]
+ resources :photos, except: [:index]
get ":username" => "users#show", as: :user
get ":username/liked" => "users#liked", as: :liked
get ":username/feed" => "users#feed", as: :feed
get ":username/discover" => "users#discover", as: :discover
- get ":username/followers" => "users#followers", as: :followers
- get ":username/following" => "users#following", as: :following
-end
\ No newline at end of file
+end
From 6da2477125ddd77bbfa9207ff7b9e142d98235df Mon Sep 17 00:00:00 2001
From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com>
Date: Mon, 30 Oct 2023 15:33:34 +0000
Subject: [PATCH 2/8] pundit
---
Gemfile | 2 +
Gemfile.lock | 3 ++
app/controllers/application_controller.rb | 15 +++++++
app/controllers/photos_controller.rb | 9 ++++
app/policies/application_policy.rb | 53 +++++++++++++++++++++++
app/policies/photo_policy.rb | 14 ++++++
app/policies/user_policy.rb | 14 ++++++
app/views/users/show.html.erb | 2 +-
fst | 12 +++++
9 files changed, 123 insertions(+), 1 deletion(-)
create mode 100644 app/policies/application_policy.rb
create mode 100644 app/policies/photo_policy.rb
create mode 100644 app/policies/user_policy.rb
create mode 100644 fst
diff --git a/Gemfile b/Gemfile
index 9eebefb9..0a393dce 100644
--- a/Gemfile
+++ b/Gemfile
@@ -3,6 +3,8 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
ruby "3.2.1"
+gem "pundit"
+
gem "simple_form"
# Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main"
diff --git a/Gemfile.lock b/Gemfile.lock
index 42668dd8..e73e59d4 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -233,6 +233,8 @@ GEM
public_suffix (5.0.1)
puma (5.6.5)
nio4r (~> 2.0)
+ pundit (2.3.1)
+ activesupport (>= 3.0.0)
racc (1.6.2)
rack (2.2.7)
rack-protection (3.0.6)
@@ -425,6 +427,7 @@ DEPENDENCIES
pg (~> 1.1)
pry-rails
puma (~> 5.0)
+ pundit
rails (~> 7.0.4, >= 7.0.4.3)
rails-erd
rails_db
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index bd664b1d..50055519 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,7 +1,12 @@
class ApplicationController < ActionController::Base
+ include Pundit
+ after_action :verify_authorized, unless: :devise_controller?
+after_action :verify_policy_scoped, only: :index, unless: :devise_controller?
+after_action :verify_policy_scoped, only: :index
before_action :authenticate_user!
before_action :configure_permitted_parameters, if: :devise_controller?
+
protected
@@ -9,4 +14,14 @@ def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image])
devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image])
end
+
+ rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
+ private
+
+ def user_not_authorized
+ flash[:alert] = "You are not authorized to perform this action."
+
+ redirect_back fallback_location: root_url
+ end
end
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index b8fe34db..9bf760d1 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -1,6 +1,8 @@
class PhotosController < ApplicationController
before_action :set_photo, only: %i[ show edit update destroy ]
before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit]
+ # before_action :ensure_user_is_authorized, only: [:show]
+
# GET /photos or /photos.json
def index
@@ -9,6 +11,7 @@ def index
# GET /photos/1 or /photos/1.json
def show
+ authorize @photo
end
# GET /photos/new
@@ -70,6 +73,12 @@ def ensure_current_user_is_owner
end
end
+ # def ensure_user_is_authorized
+ # if !PhotoPolicy.new(current_user, @photo).show?
+ # raise Pundit::NotAuthorizedError, "not allowed"
+ # end
+ # end
+
# Only allow a list of trusted parameters through.
def photo_params
params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
new file mode 100644
index 00000000..e000cba5
--- /dev/null
+++ b/app/policies/application_policy.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+class ApplicationPolicy
+ attr_reader :user, :record
+
+ def initialize(user, record)
+ @user = user
+ @record = record
+ end
+
+ def index?
+ false
+ end
+
+ def show?
+ false
+ end
+
+ def create?
+ false
+ end
+
+ def new?
+ create?
+ end
+
+ def update?
+ false
+ end
+
+ def edit?
+ update?
+ end
+
+ def destroy?
+ false
+ end
+
+ class Scope
+ def initialize(user, scope)
+ @user = user
+ @scope = scope
+ end
+
+ def resolve
+ raise NotImplementedError, "You must define #resolve in #{self.class}"
+ end
+
+ private
+
+ attr_reader :user, :scope
+ end
+end
diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb
new file mode 100644
index 00000000..59b58e85
--- /dev/null
+++ b/app/policies/photo_policy.rb
@@ -0,0 +1,14 @@
+class PhotoPolicy
+ attr_reader :user, :photo
+
+ def initialize(user, photo)
+ @user = user
+ @photo = photo
+ end
+
+ def show?
+ user == photo.owner ||
+ !photo.owner.private? ||
+ photo.owner.followers.include?(user)
+ end
+end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
new file mode 100644
index 00000000..bd575717
--- /dev/null
+++ b/app/policies/user_policy.rb
@@ -0,0 +1,14 @@
+class UserPolicy
+ attr_reader :current_user, :user
+
+ def initialize(current_user, user)
+ @current_user = current_user
+ @user = user
+ end
+
+ def show?
+ user == current_user ||
+ !user.private? ||
+ user.followers.include?(current_user)
+ end
+end
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
index 7ee035f6..fa62ef51 100644
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@@ -4,7 +4,7 @@
-<% if current_user == @user || !@user.private? || current_user.leaders.include?(@user) %>
+<% if policy(@user).show? %>
diff --git a/fst b/fst
new file mode 100644
index 00000000..12e1f74c
--- /dev/null
+++ b/fst
@@ -0,0 +1,12 @@
+=> [32m#
[0m
From 50f302dc6642e93a0fcb3bb88470309b29ef93bc Mon Sep 17 00:00:00 2001
From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com>
Date: Mon, 30 Oct 2023 21:47:04 +0000
Subject: [PATCH 3/8] adds pundit
---
app/controllers/application_controller.rb | 24 ++++++------
app/controllers/comments_controller.rb | 28 ++++++-------
app/controllers/photos_controller.rb | 48 +++++++++++------------
app/controllers/users_controller.rb | 3 +-
app/policies/photo_policy.rb | 6 +--
app/policies/user_policy.rb | 6 ++-
app/views/photos/_photo.html.erb | 13 +++---
app/views/users/show.html.erb | 21 +++++-----
8 files changed, 76 insertions(+), 73 deletions(-)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 50055519..a9af0a78 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,27 +1,27 @@
class ApplicationController < ActionController::Base
include Pundit
+
after_action :verify_authorized, unless: :devise_controller?
-after_action :verify_policy_scoped, only: :index, unless: :devise_controller?
-after_action :verify_policy_scoped, only: :index
+ after_action :verify_policy_scoped, only: :index, unless: :devise_controller?
+
before_action :authenticate_user!
-
+
before_action :configure_permitted_parameters, if: :devise_controller?
-
protected
-
+
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image])
devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image])
end
-
+
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
-
+
private
- def user_not_authorized
- flash[:alert] = "You are not authorized to perform this action."
-
- redirect_back fallback_location: root_url
- end
+ def user_not_authorized
+ flash[:alert] = "You are not authorized to perform this action."
+
+ redirect_back fallback_location: root_url
+ end
end
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index ebe41025..c5330e4d 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,7 +1,6 @@
class CommentsController < ApplicationController
before_action :set_comment, only: %i[ show edit update destroy ]
before_action :is_an_authorized_user, only: [:destroy, :create]
-
# GET /comments or /comments.json
def index
@comments = Comment.all
@@ -59,20 +58,21 @@ def destroy
end
private
- # Use callbacks to share common setup or constraints between actions.
- def set_comment
- @comment = Comment.find(params[:id])
- end
- def is_an_authorized_user
- @photo = Photo.find(params.fetch(:comment).fetch(:photo_id))
- if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner)
- redirect_back fallback_location: root_url, alert: "Not authorized"
- end
- end
+ # Use callbacks to share common setup or constraints between actions.
+ def set_comment
+ @comment = Comment.find(params[:id])
+ end
- # Only allow a list of trusted parameters through.
- def comment_params
- params.require(:comment).permit(:author_id, :photo_id, :body)
+ def is_an_authorized_user
+ @photo = Photo.find(params.fetch(:comment).fetch(:photo_id))
+ if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner)
+ redirect_back fallback_location: root_url, alert: "Not authorized"
end
+ end
+
+ # Only allow a list of trusted parameters through.
+ def comment_params
+ params.require(:comment).permit(:author_id, :photo_id, :body)
+ end
end
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 9bf760d1..9222f42a 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -1,9 +1,7 @@
class PhotosController < ApplicationController
before_action :set_photo, only: %i[ show edit update destroy ]
before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit]
- # before_action :ensure_user_is_authorized, only: [:show]
-
-
+
# GET /photos or /photos.json
def index
@photos = Photo.all
@@ -54,33 +52,33 @@ def update
# DELETE /photos/1 or /photos/1.json
def destroy
- @photo.destroy
- respond_to do |format|
- format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." }
- format.json { head :no_content }
+ if current_user == @photo.owner
+ @photo.destroy
+
+ respond_to do |format|
+ format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." }
+ format.json { head :no_content }
+ end
+ else
+ redirect_back(fallback_location: root_url, notice: "Nice try, but that is not your photo.")
end
end
private
- # Use callbacks to share common setup or constraints between actions.
- def set_photo
- @photo = Photo.find(params[:id])
- end
- def ensure_current_user_is_owner
- if current_user != @photo.owner
- redirect_back fallback_location: root_url, alert: "You're not authorized for that."
- end
- end
-
- # def ensure_user_is_authorized
- # if !PhotoPolicy.new(current_user, @photo).show?
- # raise Pundit::NotAuthorizedError, "not allowed"
- # end
- # end
+ # Use callbacks to share common setup or constraints between actions.
+ def set_photo
+ @photo = Photo.find(params[:id])
+ end
- # Only allow a list of trusted parameters through.
- def photo_params
- params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
+ def ensure_current_user_is_owner
+ if current_user != @photo.owner
+ redirect_back fallback_location: root_url, alert: "You're not authorized for that."
end
+ end
+
+ # Only allow a list of trusted parameters through.
+ def photo_params
+ params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
+ end
end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 31db66e9..80f8c476 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,5 +1,6 @@
class UsersController < ApplicationController
before_action :set_user, only: %i[ show liked feed followers following discover ]
+ before_action { authorize(@user || User) }
private
@@ -10,4 +11,4 @@ def set_user
@user = current_user
end
end
-end
\ No newline at end of file
+end
diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb
index 59b58e85..26c8fe1f 100644
--- a/app/policies/photo_policy.rb
+++ b/app/policies/photo_policy.rb
@@ -1,4 +1,4 @@
-class PhotoPolicy
+class PhotoPolicy < ApplicationPolicy
attr_reader :user, :photo
def initialize(user, photo)
@@ -8,7 +8,7 @@ def initialize(user, photo)
def show?
user == photo.owner ||
- !photo.owner.private? ||
- photo.owner.followers.include?(user)
+ !photo.owner.private? ||
+ photo.owner.followers.include?(user)
end
end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index bd575717..e838eb2b 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -1,4 +1,4 @@
-class UserPolicy
+class UserPolicy < ApplicationPolicy
attr_reader :current_user, :user
def initialize(current_user, user)
@@ -6,6 +6,10 @@ def initialize(current_user, user)
@user = user
end
+ def feed?
+ true
+ end
+
def show?
user == current_user ||
!user.private? ||
diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb
index 4fcc00d3..c0106f88 100644
--- a/app/views/photos/_photo.html.erb
+++ b/app/views/photos/_photo.html.erb
@@ -8,14 +8,15 @@
<% if current_user == photo.owner %>
- <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %>
-
- <% end %>
+ <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %>
+
+ <% end %>
- <%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %>
-
- <% end %>
+ <%= link_to photo, method: :delete, class: "btn btn-link btn-sm text-muted" do %>
+
+ <% end %>
<% end %>
+
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
index fa62ef51..ceecc1ed 100644
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@@ -5,18 +5,17 @@
<% if policy(@user).show? %>
-
-
-
- <%= render "users/profile_nav", user: @user %>
-
-
-
-<% @user.own_photos.each do |photo| %>
-
+
- <%= render "photos/photo", photo: photo %>
+ <%= render "users/profile_nav", user: @user %>
-<% end %>
+
+ <% @user.own_photos.each do |photo| %>
+
+
+ <%= render "photos/photo", photo: photo %>
+
+
+ <% end %>
<% end %>
From 508c85dd76608983d9acb2782fdea06663cca333 Mon Sep 17 00:00:00 2001
From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com>
Date: Mon, 30 Oct 2023 21:57:05 +0000
Subject: [PATCH 4/8] allows user to view feed
---
app/policies/user_policy.rb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index e838eb2b..35bf0bbd 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -5,6 +5,9 @@ def initialize(current_user, user)
@current_user = current_user
@user = user
end
+ def discover?
+ true
+ end
def feed?
true
From 19f9897d63842ef191645aa746f6cf682d3a5344 Mon Sep 17 00:00:00 2001
From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com>
Date: Mon, 30 Oct 2023 22:08:30 +0000
Subject: [PATCH 5/8] I can add posts now
---
app/controllers/photos_controller.rb | 4 ++++
app/policies/photo_policy.rb | 14 +++++++++++---
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 9222f42a..6067c43a 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -13,8 +13,11 @@ def show
end
# GET /photos/new
+
+
def new
@photo = Photo.new
+ authorize @photo
end
# GET /photos/1/edit
@@ -25,6 +28,7 @@ def edit
def create
@photo = Photo.new(photo_params)
@photo.owner = current_user
+ authorize @photo
respond_to do |format|
if @photo.save
diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb
index 26c8fe1f..6064505f 100644
--- a/app/policies/photo_policy.rb
+++ b/app/policies/photo_policy.rb
@@ -1,4 +1,4 @@
-class PhotoPolicy < ApplicationPolicy
+class PhotoPolicy
attr_reader :user, :photo
def initialize(user, photo)
@@ -6,9 +6,17 @@ def initialize(user, photo)
@photo = photo
end
+ def new?
+ user.present?
+ end
+
+ def create?
+ new?
+ end
+
def show?
user == photo.owner ||
- !photo.owner.private? ||
- photo.owner.followers.include?(user)
+ !photo.owner.private? ||
+ photo.owner.followers.include?(user)
end
end
From 458bef52b91ab86de7ddc387d2008b253d934a3d Mon Sep 17 00:00:00 2001
From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com>
Date: Mon, 30 Oct 2023 22:15:15 +0000
Subject: [PATCH 6/8] I can add posts now
---
app/controllers/photos_controller.rb | 4 ++++
app/policies/photo_policy.rb | 14 +++++++++++---
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 9222f42a..6067c43a 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -13,8 +13,11 @@ def show
end
# GET /photos/new
+
+
def new
@photo = Photo.new
+ authorize @photo
end
# GET /photos/1/edit
@@ -25,6 +28,7 @@ def edit
def create
@photo = Photo.new(photo_params)
@photo.owner = current_user
+ authorize @photo
respond_to do |format|
if @photo.save
diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb
index 26c8fe1f..6064505f 100644
--- a/app/policies/photo_policy.rb
+++ b/app/policies/photo_policy.rb
@@ -1,4 +1,4 @@
-class PhotoPolicy < ApplicationPolicy
+class PhotoPolicy
attr_reader :user, :photo
def initialize(user, photo)
@@ -6,9 +6,17 @@ def initialize(user, photo)
@photo = photo
end
+ def new?
+ user.present?
+ end
+
+ def create?
+ new?
+ end
+
def show?
user == photo.owner ||
- !photo.owner.private? ||
- photo.owner.followers.include?(user)
+ !photo.owner.private? ||
+ photo.owner.followers.include?(user)
end
end
From 6a5da691a42c74c55f53f318cefa91fe47129505 Mon Sep 17 00:00:00 2001
From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com>
Date: Fri, 3 Nov 2023 20:06:44 +0000
Subject: [PATCH 7/8] User can view liked tab
---
app/policies/photo_policy.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb
index 6064505f..041a3cc2 100644
--- a/app/policies/photo_policy.rb
+++ b/app/policies/photo_policy.rb
@@ -1,4 +1,4 @@
-class PhotoPolicy
+class PhotoPolicy < ApplicationPolicy
attr_reader :user, :photo
def initialize(user, photo)
From fba4b7b09fe61ec68cb9636ea58b1d22a9f3ec09 Mon Sep 17 00:00:00 2001
From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com>
Date: Fri, 3 Nov 2023 20:09:12 +0000
Subject: [PATCH 8/8] User can view liked tab. Updated user policy
---
app/policies/user_policy.rb | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 35bf0bbd..381cda56 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -18,4 +18,11 @@ def show?
!user.private? ||
user.followers.include?(current_user)
end
+
+ def liked?
+ user == current_user ||
+ !user.private? ||
+ user.followers.include?(current_user)
+ end
+
end