From a5366fc2b1582ba817dd7c0533a334fc2f15adb1 Mon Sep 17 00:00:00 2001 From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com> Date: Sun, 29 Oct 2023 00:26:56 +0000 Subject: [PATCH 1/8] limit routes, conditional views, before action --- .rake_tasks~ | 74 ++++++++++++++++++++++++++ app/controllers/comments_controller.rb | 8 +++ app/controllers/photos_controller.rb | 7 +++ app/models/comment.rb | 1 + app/views/photos/_photo.html.erb | 2 + app/views/users/show.html.erb | 3 ++ config/routes.rb | 10 ++-- 7 files changed, 99 insertions(+), 6 deletions(-) create mode 100644 .rake_tasks~ diff --git a/.rake_tasks~ b/.rake_tasks~ new file mode 100644 index 00000000..4ee8ecb1 --- /dev/null +++ b/.rake_tasks~ @@ -0,0 +1,74 @@ +about +action_mailbox:ingress:exim +action_mailbox:ingress:postfix +action_mailbox:ingress:qmail +action_mailbox:install +action_mailbox:install:migrations +action_text:install +action_text:install:migrations +active_storage:install +annotate_models +annotate_routes +app:template +app:update +assets:clean[keep] +assets:clobber +assets:environment +assets:precompile +cache_digests:dependencies +cache_digests:nested_dependencies +db:create +db:drop +db:encryption:init +db:environment:set +db:fixtures:load +db:migrate +db:migrate:down +db:migrate:redo +db:migrate:status +db:migrate:up +db:prepare +db:reset +db:rollback +db:schema:cache:clear +db:schema:cache:dump +db:schema:dump +db:schema:load +db:seed +db:seed:replant +db:setup +db:version +erd +grade +grade:all +grade:next +grade:reset_token +grade_runner:runner +importmap:install +log:clear +middleware +remove_annotation +remove_routes +restart +sample_data +secret +spec +spec:features +specs:readme +stats +stimulus:install +stimulus:install:importmap +stimulus:install:node +test +test:all +test:db +test:system +time:zones[country_or_offset] +tmp:clear +tmp:create +turbo:install +turbo:install:importmap +turbo:install:node +turbo:install:redis +yarn:install +zeitwerk:check diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 046a8e5d..ebe41025 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -1,5 +1,6 @@ class CommentsController < ApplicationController before_action :set_comment, only: %i[ show edit update destroy ] + before_action :is_an_authorized_user, only: [:destroy, :create] # GET /comments or /comments.json def index @@ -63,6 +64,13 @@ def set_comment @comment = Comment.find(params[:id]) end + def is_an_authorized_user + @photo = Photo.find(params.fetch(:comment).fetch(:photo_id)) + if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner) + redirect_back fallback_location: root_url, alert: "Not authorized" + end + end + # Only allow a list of trusted parameters through. def comment_params params.require(:comment).permit(:author_id, :photo_id, :body) diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb index 78e53163..b8fe34db 100644 --- a/app/controllers/photos_controller.rb +++ b/app/controllers/photos_controller.rb @@ -1,5 +1,6 @@ class PhotosController < ApplicationController before_action :set_photo, only: %i[ show edit update destroy ] + before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit] # GET /photos or /photos.json def index @@ -63,6 +64,12 @@ def set_photo @photo = Photo.find(params[:id]) end + def ensure_current_user_is_owner + if current_user != @photo.owner + redirect_back fallback_location: root_url, alert: "You're not authorized for that." + end + end + # Only allow a list of trusted parameters through. def photo_params params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id) diff --git a/app/models/comment.rb b/app/models/comment.rb index 14a8eb00..0761b0e8 100644 --- a/app/models/comment.rb +++ b/app/models/comment.rb @@ -22,6 +22,7 @@ class Comment < ApplicationRecord belongs_to :author, class_name: "User", counter_cache: true belongs_to :photo, counter_cache: true + has_one :owner, through: :photo validates :body, presence: true end diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb index f0de50b8..4fcc00d3 100644 --- a/app/views/photos/_photo.html.erb +++ b/app/views/photos/_photo.html.erb @@ -7,6 +7,7 @@
+ <% if current_user == photo.owner %> <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %> <% end %> @@ -14,6 +15,7 @@ <%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %> <% end %> + <% end %>
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index 5656d7d5..7ee035f6 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -4,6 +4,8 @@ +<% if current_user == @user || !@user.private? || current_user.leaders.include?(@user) %> +
<%= render "users/profile_nav", user: @user %> @@ -17,3 +19,4 @@
<% end %> +<% end %> diff --git a/config/routes.rb b/config/routes.rb index 47050a54..c673b13e 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -4,14 +4,12 @@ devise_for :users resources :comments - resources :follow_requests - resources :likes - resources :photos + resources :follow_requests, except: [:index, :show, :new, :edit] + resources :likes, only: [:create, :destroy] + resources :photos, except: [:index] get ":username" => "users#show", as: :user get ":username/liked" => "users#liked", as: :liked get ":username/feed" => "users#feed", as: :feed get ":username/discover" => "users#discover", as: :discover - get ":username/followers" => "users#followers", as: :followers - get ":username/following" => "users#following", as: :following -end \ No newline at end of file +end From 6da2477125ddd77bbfa9207ff7b9e142d98235df Mon Sep 17 00:00:00 2001 From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com> Date: Mon, 30 Oct 2023 15:33:34 +0000 Subject: [PATCH 2/8] pundit --- Gemfile | 2 + Gemfile.lock | 3 ++ app/controllers/application_controller.rb | 15 +++++++ app/controllers/photos_controller.rb | 9 ++++ app/policies/application_policy.rb | 53 +++++++++++++++++++++++ app/policies/photo_policy.rb | 14 ++++++ app/policies/user_policy.rb | 14 ++++++ app/views/users/show.html.erb | 2 +- fst | 12 +++++ 9 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 app/policies/application_policy.rb create mode 100644 app/policies/photo_policy.rb create mode 100644 app/policies/user_policy.rb create mode 100644 fst diff --git a/Gemfile b/Gemfile index 9eebefb9..0a393dce 100644 --- a/Gemfile +++ b/Gemfile @@ -3,6 +3,8 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" } ruby "3.2.1" +gem "pundit" + gem "simple_form" # Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main" diff --git a/Gemfile.lock b/Gemfile.lock index 42668dd8..e73e59d4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -233,6 +233,8 @@ GEM public_suffix (5.0.1) puma (5.6.5) nio4r (~> 2.0) + pundit (2.3.1) + activesupport (>= 3.0.0) racc (1.6.2) rack (2.2.7) rack-protection (3.0.6) @@ -425,6 +427,7 @@ DEPENDENCIES pg (~> 1.1) pry-rails puma (~> 5.0) + pundit rails (~> 7.0.4, >= 7.0.4.3) rails-erd rails_db diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index bd664b1d..50055519 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,7 +1,12 @@ class ApplicationController < ActionController::Base + include Pundit + after_action :verify_authorized, unless: :devise_controller? +after_action :verify_policy_scoped, only: :index, unless: :devise_controller? +after_action :verify_policy_scoped, only: :index before_action :authenticate_user! before_action :configure_permitted_parameters, if: :devise_controller? + protected @@ -9,4 +14,14 @@ def configure_permitted_parameters devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image]) devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image]) end + + rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized + + private + + def user_not_authorized + flash[:alert] = "You are not authorized to perform this action." + + redirect_back fallback_location: root_url + end end diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb index b8fe34db..9bf760d1 100644 --- a/app/controllers/photos_controller.rb +++ b/app/controllers/photos_controller.rb @@ -1,6 +1,8 @@ class PhotosController < ApplicationController before_action :set_photo, only: %i[ show edit update destroy ] before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit] + # before_action :ensure_user_is_authorized, only: [:show] + # GET /photos or /photos.json def index @@ -9,6 +11,7 @@ def index # GET /photos/1 or /photos/1.json def show + authorize @photo end # GET /photos/new @@ -70,6 +73,12 @@ def ensure_current_user_is_owner end end + # def ensure_user_is_authorized + # if !PhotoPolicy.new(current_user, @photo).show? + # raise Pundit::NotAuthorizedError, "not allowed" + # end + # end + # Only allow a list of trusted parameters through. def photo_params params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id) diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb new file mode 100644 index 00000000..e000cba5 --- /dev/null +++ b/app/policies/application_policy.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +class ApplicationPolicy + attr_reader :user, :record + + def initialize(user, record) + @user = user + @record = record + end + + def index? + false + end + + def show? + false + end + + def create? + false + end + + def new? + create? + end + + def update? + false + end + + def edit? + update? + end + + def destroy? + false + end + + class Scope + def initialize(user, scope) + @user = user + @scope = scope + end + + def resolve + raise NotImplementedError, "You must define #resolve in #{self.class}" + end + + private + + attr_reader :user, :scope + end +end diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb new file mode 100644 index 00000000..59b58e85 --- /dev/null +++ b/app/policies/photo_policy.rb @@ -0,0 +1,14 @@ +class PhotoPolicy + attr_reader :user, :photo + + def initialize(user, photo) + @user = user + @photo = photo + end + + def show? + user == photo.owner || + !photo.owner.private? || + photo.owner.followers.include?(user) + end +end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb new file mode 100644 index 00000000..bd575717 --- /dev/null +++ b/app/policies/user_policy.rb @@ -0,0 +1,14 @@ +class UserPolicy + attr_reader :current_user, :user + + def initialize(current_user, user) + @current_user = current_user + @user = user + end + + def show? + user == current_user || + !user.private? || + user.followers.include?(current_user) + end +end diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index 7ee035f6..fa62ef51 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -4,7 +4,7 @@ -<% if current_user == @user || !@user.private? || current_user.leaders.include?(@user) %> +<% if policy(@user).show? %>
diff --git a/fst b/fst new file mode 100644 index 00000000..12e1f74c --- /dev/null +++ b/fst @@ -0,0 +1,12 @@ +=> # From 50f302dc6642e93a0fcb3bb88470309b29ef93bc Mon Sep 17 00:00:00 2001 From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com> Date: Mon, 30 Oct 2023 21:47:04 +0000 Subject: [PATCH 3/8] adds pundit --- app/controllers/application_controller.rb | 24 ++++++------ app/controllers/comments_controller.rb | 28 ++++++------- app/controllers/photos_controller.rb | 48 +++++++++++------------ app/controllers/users_controller.rb | 3 +- app/policies/photo_policy.rb | 6 +-- app/policies/user_policy.rb | 6 ++- app/views/photos/_photo.html.erb | 13 +++--- app/views/users/show.html.erb | 21 +++++----- 8 files changed, 76 insertions(+), 73 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 50055519..a9af0a78 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,27 +1,27 @@ class ApplicationController < ActionController::Base include Pundit + after_action :verify_authorized, unless: :devise_controller? -after_action :verify_policy_scoped, only: :index, unless: :devise_controller? -after_action :verify_policy_scoped, only: :index + after_action :verify_policy_scoped, only: :index, unless: :devise_controller? + before_action :authenticate_user! - + before_action :configure_permitted_parameters, if: :devise_controller? - protected - + def configure_permitted_parameters devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image]) devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image]) end - + rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized - + private - def user_not_authorized - flash[:alert] = "You are not authorized to perform this action." - - redirect_back fallback_location: root_url - end + def user_not_authorized + flash[:alert] = "You are not authorized to perform this action." + + redirect_back fallback_location: root_url + end end diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index ebe41025..c5330e4d 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -1,7 +1,6 @@ class CommentsController < ApplicationController before_action :set_comment, only: %i[ show edit update destroy ] before_action :is_an_authorized_user, only: [:destroy, :create] - # GET /comments or /comments.json def index @comments = Comment.all @@ -59,20 +58,21 @@ def destroy end private - # Use callbacks to share common setup or constraints between actions. - def set_comment - @comment = Comment.find(params[:id]) - end - def is_an_authorized_user - @photo = Photo.find(params.fetch(:comment).fetch(:photo_id)) - if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner) - redirect_back fallback_location: root_url, alert: "Not authorized" - end - end + # Use callbacks to share common setup or constraints between actions. + def set_comment + @comment = Comment.find(params[:id]) + end - # Only allow a list of trusted parameters through. - def comment_params - params.require(:comment).permit(:author_id, :photo_id, :body) + def is_an_authorized_user + @photo = Photo.find(params.fetch(:comment).fetch(:photo_id)) + if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner) + redirect_back fallback_location: root_url, alert: "Not authorized" end + end + + # Only allow a list of trusted parameters through. + def comment_params + params.require(:comment).permit(:author_id, :photo_id, :body) + end end diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb index 9bf760d1..9222f42a 100644 --- a/app/controllers/photos_controller.rb +++ b/app/controllers/photos_controller.rb @@ -1,9 +1,7 @@ class PhotosController < ApplicationController before_action :set_photo, only: %i[ show edit update destroy ] before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit] - # before_action :ensure_user_is_authorized, only: [:show] - - + # GET /photos or /photos.json def index @photos = Photo.all @@ -54,33 +52,33 @@ def update # DELETE /photos/1 or /photos/1.json def destroy - @photo.destroy - respond_to do |format| - format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." } - format.json { head :no_content } + if current_user == @photo.owner + @photo.destroy + + respond_to do |format| + format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." } + format.json { head :no_content } + end + else + redirect_back(fallback_location: root_url, notice: "Nice try, but that is not your photo.") end end private - # Use callbacks to share common setup or constraints between actions. - def set_photo - @photo = Photo.find(params[:id]) - end - def ensure_current_user_is_owner - if current_user != @photo.owner - redirect_back fallback_location: root_url, alert: "You're not authorized for that." - end - end - - # def ensure_user_is_authorized - # if !PhotoPolicy.new(current_user, @photo).show? - # raise Pundit::NotAuthorizedError, "not allowed" - # end - # end + # Use callbacks to share common setup or constraints between actions. + def set_photo + @photo = Photo.find(params[:id]) + end - # Only allow a list of trusted parameters through. - def photo_params - params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id) + def ensure_current_user_is_owner + if current_user != @photo.owner + redirect_back fallback_location: root_url, alert: "You're not authorized for that." end + end + + # Only allow a list of trusted parameters through. + def photo_params + params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id) + end end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 31db66e9..80f8c476 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,5 +1,6 @@ class UsersController < ApplicationController before_action :set_user, only: %i[ show liked feed followers following discover ] + before_action { authorize(@user || User) } private @@ -10,4 +11,4 @@ def set_user @user = current_user end end -end \ No newline at end of file +end diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb index 59b58e85..26c8fe1f 100644 --- a/app/policies/photo_policy.rb +++ b/app/policies/photo_policy.rb @@ -1,4 +1,4 @@ -class PhotoPolicy +class PhotoPolicy < ApplicationPolicy attr_reader :user, :photo def initialize(user, photo) @@ -8,7 +8,7 @@ def initialize(user, photo) def show? user == photo.owner || - !photo.owner.private? || - photo.owner.followers.include?(user) + !photo.owner.private? || + photo.owner.followers.include?(user) end end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index bd575717..e838eb2b 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -1,4 +1,4 @@ -class UserPolicy +class UserPolicy < ApplicationPolicy attr_reader :current_user, :user def initialize(current_user, user) @@ -6,6 +6,10 @@ def initialize(current_user, user) @user = user end + def feed? + true + end + def show? user == current_user || !user.private? || diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb index 4fcc00d3..c0106f88 100644 --- a/app/views/photos/_photo.html.erb +++ b/app/views/photos/_photo.html.erb @@ -8,14 +8,15 @@
<% if current_user == photo.owner %> - <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %> - - <% end %> + <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %> + + <% end %> - <%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %> - - <% end %> + <%= link_to photo, method: :delete, class: "btn btn-link btn-sm text-muted" do %> + + <% end %> <% end %> +
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index fa62ef51..ceecc1ed 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -5,18 +5,17 @@
<% if policy(@user).show? %> - -
-
- <%= render "users/profile_nav", user: @user %> -
-
- -<% @user.own_photos.each do |photo| %> -
+
- <%= render "photos/photo", photo: photo %> + <%= render "users/profile_nav", user: @user %>
-<% end %> + + <% @user.own_photos.each do |photo| %> +
+
+ <%= render "photos/photo", photo: photo %> +
+
+ <% end %> <% end %> From 508c85dd76608983d9acb2782fdea06663cca333 Mon Sep 17 00:00:00 2001 From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com> Date: Mon, 30 Oct 2023 21:57:05 +0000 Subject: [PATCH 4/8] allows user to view feed --- app/policies/user_policy.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index e838eb2b..35bf0bbd 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -5,6 +5,9 @@ def initialize(current_user, user) @current_user = current_user @user = user end + def discover? + true + end def feed? true From 19f9897d63842ef191645aa746f6cf682d3a5344 Mon Sep 17 00:00:00 2001 From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com> Date: Mon, 30 Oct 2023 22:08:30 +0000 Subject: [PATCH 5/8] I can add posts now --- app/controllers/photos_controller.rb | 4 ++++ app/policies/photo_policy.rb | 14 +++++++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb index 9222f42a..6067c43a 100644 --- a/app/controllers/photos_controller.rb +++ b/app/controllers/photos_controller.rb @@ -13,8 +13,11 @@ def show end # GET /photos/new + + def new @photo = Photo.new + authorize @photo end # GET /photos/1/edit @@ -25,6 +28,7 @@ def edit def create @photo = Photo.new(photo_params) @photo.owner = current_user + authorize @photo respond_to do |format| if @photo.save diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb index 26c8fe1f..6064505f 100644 --- a/app/policies/photo_policy.rb +++ b/app/policies/photo_policy.rb @@ -1,4 +1,4 @@ -class PhotoPolicy < ApplicationPolicy +class PhotoPolicy attr_reader :user, :photo def initialize(user, photo) @@ -6,9 +6,17 @@ def initialize(user, photo) @photo = photo end + def new? + user.present? + end + + def create? + new? + end + def show? user == photo.owner || - !photo.owner.private? || - photo.owner.followers.include?(user) + !photo.owner.private? || + photo.owner.followers.include?(user) end end From 458bef52b91ab86de7ddc387d2008b253d934a3d Mon Sep 17 00:00:00 2001 From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com> Date: Mon, 30 Oct 2023 22:15:15 +0000 Subject: [PATCH 6/8] I can add posts now --- app/controllers/photos_controller.rb | 4 ++++ app/policies/photo_policy.rb | 14 +++++++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb index 9222f42a..6067c43a 100644 --- a/app/controllers/photos_controller.rb +++ b/app/controllers/photos_controller.rb @@ -13,8 +13,11 @@ def show end # GET /photos/new + + def new @photo = Photo.new + authorize @photo end # GET /photos/1/edit @@ -25,6 +28,7 @@ def edit def create @photo = Photo.new(photo_params) @photo.owner = current_user + authorize @photo respond_to do |format| if @photo.save diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb index 26c8fe1f..6064505f 100644 --- a/app/policies/photo_policy.rb +++ b/app/policies/photo_policy.rb @@ -1,4 +1,4 @@ -class PhotoPolicy < ApplicationPolicy +class PhotoPolicy attr_reader :user, :photo def initialize(user, photo) @@ -6,9 +6,17 @@ def initialize(user, photo) @photo = photo end + def new? + user.present? + end + + def create? + new? + end + def show? user == photo.owner || - !photo.owner.private? || - photo.owner.followers.include?(user) + !photo.owner.private? || + photo.owner.followers.include?(user) end end From 6a5da691a42c74c55f53f318cefa91fe47129505 Mon Sep 17 00:00:00 2001 From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com> Date: Fri, 3 Nov 2023 20:06:44 +0000 Subject: [PATCH 7/8] User can view liked tab --- app/policies/photo_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb index 6064505f..041a3cc2 100644 --- a/app/policies/photo_policy.rb +++ b/app/policies/photo_policy.rb @@ -1,4 +1,4 @@ -class PhotoPolicy +class PhotoPolicy < ApplicationPolicy attr_reader :user, :photo def initialize(user, photo) From fba4b7b09fe61ec68cb9636ea58b1d22a9f3ec09 Mon Sep 17 00:00:00 2001 From: Samuel Lubliner <74507133+Samuel-Lubliner@users.noreply.github.com> Date: Fri, 3 Nov 2023 20:09:12 +0000 Subject: [PATCH 8/8] User can view liked tab. Updated user policy --- app/policies/user_policy.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 35bf0bbd..381cda56 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -18,4 +18,11 @@ def show? !user.private? || user.followers.include?(current_user) end + + def liked? + user == current_user || + !user.private? || + user.followers.include?(current_user) + end + end