Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auth #18

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

auth #18

Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions .rake_tasks~
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
about
action_mailbox:ingress:exim
action_mailbox:ingress:postfix
action_mailbox:ingress:qmail
action_mailbox:install
action_mailbox:install:migrations
action_text:install
action_text:install:migrations
active_storage:install
annotate_models
annotate_routes
app:template
app:update
assets:clean[keep]
assets:clobber
assets:environment
assets:precompile
cache_digests:dependencies
cache_digests:nested_dependencies
db:create
db:drop
db:encryption:init
db:environment:set
db:fixtures:load
db:migrate
db:migrate:down
db:migrate:redo
db:migrate:status
db:migrate:up
db:prepare
db:reset
db:rollback
db:schema:cache:clear
db:schema:cache:dump
db:schema:dump
db:schema:load
db:seed
db:seed:replant
db:setup
db:version
erd
grade
grade:all
grade:next
grade:reset_token
grade_runner:runner
importmap:install
log:clear
middleware
remove_annotation
remove_routes
restart
sample_data
secret
spec
spec:features
specs:readme
stats
stimulus:install
stimulus:install:importmap
stimulus:install:node
test
test:all
test:db
test:system
time:zones[country_or_offset]
tmp:clear
tmp:create
turbo:install
turbo:install:importmap
turbo:install:node
turbo:install:redis
yarn:install
zeitwerk:check
2 changes: 2 additions & 0 deletions Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }

ruby "3.2.1"

gem "pundit"

gem "simple_form"

# Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main"
Expand Down
3 changes: 3 additions & 0 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,8 @@ GEM
public_suffix (5.0.1)
puma (5.6.5)
nio4r (~> 2.0)
pundit (2.3.1)
activesupport (>= 3.0.0)
racc (1.6.2)
rack (2.2.7)
rack-protection (3.0.6)
Expand Down Expand Up @@ -425,6 +427,7 @@ DEPENDENCIES
pg (~> 1.1)
pry-rails
puma (~> 5.0)
pundit
rails (~> 7.0.4, >= 7.0.4.3)
rails-erd
rails_db
Expand Down
21 changes: 18 additions & 3 deletions app/controllers/application_controller.rb
Original file line number Diff line number Diff line change
@@ -1,12 +1,27 @@
class ApplicationController < ActionController::Base
include Pundit

after_action :verify_authorized, unless: :devise_controller?
after_action :verify_policy_scoped, only: :index, unless: :devise_controller?

before_action :authenticate_user!

before_action :configure_permitted_parameters, if: :devise_controller?

protected

def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image])
devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image])
end

rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

private

def user_not_authorized
flash[:alert] = "You are not authorized to perform this action."

redirect_back fallback_location: root_url
end
end
24 changes: 16 additions & 8 deletions app/controllers/comments_controller.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
class CommentsController < ApplicationController
before_action :set_comment, only: %i[ show edit update destroy ]

before_action :is_an_authorized_user, only: [:destroy, :create]
# GET /comments or /comments.json
def index
@comments = Comment.all
Expand Down Expand Up @@ -58,13 +58,21 @@ def destroy
end

private
# Use callbacks to share common setup or constraints between actions.
def set_comment
@comment = Comment.find(params[:id])
end

# Only allow a list of trusted parameters through.
def comment_params
params.require(:comment).permit(:author_id, :photo_id, :body)
# Use callbacks to share common setup or constraints between actions.
def set_comment
@comment = Comment.find(params[:id])
end

def is_an_authorized_user
@photo = Photo.find(params.fetch(:comment).fetch(:photo_id))
if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner)
redirect_back fallback_location: root_url, alert: "Not authorized"
end
end

# Only allow a list of trusted parameters through.
def comment_params
params.require(:comment).permit(:author_id, :photo_id, :body)
end
end
42 changes: 30 additions & 12 deletions app/controllers/photos_controller.rb
Original file line number Diff line number Diff line change
@@ -1,18 +1,23 @@
class PhotosController < ApplicationController
before_action :set_photo, only: %i[ show edit update destroy ]

before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit]

# GET /photos or /photos.json
def index
@photos = Photo.all
end

# GET /photos/1 or /photos/1.json
def show
authorize @photo
end

# GET /photos/new


def new
@photo = Photo.new
authorize @photo
end

# GET /photos/1/edit
Expand All @@ -23,6 +28,7 @@ def edit
def create
@photo = Photo.new(photo_params)
@photo.owner = current_user
authorize @photo

respond_to do |format|
if @photo.save
Expand Down Expand Up @@ -50,21 +56,33 @@ def update

# DELETE /photos/1 or /photos/1.json
def destroy
@photo.destroy
respond_to do |format|
format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." }
format.json { head :no_content }
if current_user == @photo.owner
@photo.destroy

respond_to do |format|
format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." }
format.json { head :no_content }
end
else
redirect_back(fallback_location: root_url, notice: "Nice try, but that is not your photo.")
end
end

private
# Use callbacks to share common setup or constraints between actions.
def set_photo
@photo = Photo.find(params[:id])
end

# Only allow a list of trusted parameters through.
def photo_params
params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
# Use callbacks to share common setup or constraints between actions.
def set_photo
@photo = Photo.find(params[:id])
end

def ensure_current_user_is_owner
if current_user != @photo.owner
redirect_back fallback_location: root_url, alert: "You're not authorized for that."
end
end

# Only allow a list of trusted parameters through.
def photo_params
params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
end
end
3 changes: 2 additions & 1 deletion app/controllers/users_controller.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
class UsersController < ApplicationController
before_action :set_user, only: %i[ show liked feed followers following discover ]
before_action { authorize(@user || User) }

private

Expand All @@ -10,4 +11,4 @@ def set_user
@user = current_user
end
end
end
end
1 change: 1 addition & 0 deletions app/models/comment.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
class Comment < ApplicationRecord
belongs_to :author, class_name: "User", counter_cache: true
belongs_to :photo, counter_cache: true
has_one :owner, through: :photo

validates :body, presence: true
end
53 changes: 53 additions & 0 deletions app/policies/application_policy.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# frozen_string_literal: true

class ApplicationPolicy
attr_reader :user, :record

def initialize(user, record)
@user = user
@record = record
end

def index?
false
end

def show?
false
end

def create?
false
end

def new?
create?
end

def update?
false
end

def edit?
update?
end

def destroy?
false
end

class Scope
def initialize(user, scope)
@user = user
@scope = scope
end

def resolve
raise NotImplementedError, "You must define #resolve in #{self.class}"
end

private

attr_reader :user, :scope
end
end
22 changes: 22 additions & 0 deletions app/policies/photo_policy.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
class PhotoPolicy < ApplicationPolicy
attr_reader :user, :photo

def initialize(user, photo)
@user = user
@photo = photo
end

def new?
user.present?
end

def create?
new?
end

def show?
user == photo.owner ||
!photo.owner.private? ||
photo.owner.followers.include?(user)
end
end
28 changes: 28 additions & 0 deletions app/policies/user_policy.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
class UserPolicy < ApplicationPolicy
attr_reader :current_user, :user

def initialize(current_user, user)
@current_user = current_user
@user = user
end
def discover?
true
end

def feed?
true
end

def show?
user == current_user ||
!user.private? ||
user.followers.include?(current_user)
end

def liked?
user == current_user ||
!user.private? ||
user.followers.include?(current_user)
end

end
13 changes: 8 additions & 5 deletions app/views/photos/_photo.html.erb
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,16 @@
</h2>

<div>
<%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %>
<i class="fas fa-edit fa-fw"></i>
<% end %>
<% if current_user == photo.owner %>
<%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %>
<i class="fas fa-edit fa-fw"></i>
<% end %>

<%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %>
<i class="fas fa-trash fa-fw"></i>
<%= link_to photo, method: :delete, class: "btn btn-link btn-sm text-muted" do %>
<i class="fas fa-trash fa-fw"></i>
<% end %>
<% end %>

</div>
</div>

Expand Down
Loading