Jr add pundit

Gemfile

@@ -3,6 +3,8 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 ruby "3.2.1"
 
+gem "pundit", "~> 2.3"
+
 gem "simple_form"
 
 # Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main"

Gemfile.lock

@@ -235,6 +235,8 @@ GEM
     public_suffix (5.0.4)
     puma (5.6.7)
       nio4r (~> 2.0)
+    pundit (2.3.1)
+      activesupport (>= 3.0.0)
     racc (1.6.2)
     rack (2.2.8)
     rack-protection (3.0.6)
@@ -427,6 +429,7 @@ DEPENDENCIES
   pg (~> 1.1)
   pry-rails
   puma (~> 5.0)
+  pundit (~> 2.3)
   rails (~> 7.0.4, >= 7.0.4.3)
   rails-erd
   rails_db

app/controllers/application_controller.rb

@@ -1,12 +1,31 @@
 class ApplicationController < ActionController::Base
-  before_action :authenticate_user!
 
+  before_action :authenticate_user!
   before_action :configure_permitted_parameters, if: :devise_controller?
 
+  # step 13 : add after you create your policies to authorize in all controllers
+
+   after_action :verify_authorized, unless: :devise_controller?
+  after_action :verify_policy_scoped, only: :index, unless: :devise_controller?
+
+  include Pundit::Authorization
+
+
+
   protected
 
   def configure_permitted_parameters
     devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image])
     devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image])
   end
+
+   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
+  private
+
+  def user_not_authorized
+    flash[:alert] = "You are not authorized to perform this action."
+    redirect_back(fallback_location: root_path)
+  end
+
 end

app/controllers/comments_controller.rb

@@ -1,6 +1,9 @@
 class CommentsController < ApplicationController
+
   before_action :set_comment, only: %i[ show edit update destroy ]
 
+  before_action { authorize (@comment || Comment )}
+
   # GET /comments or /comments.json
   def index
     @comments = Comment.all
@@ -58,13 +61,16 @@ def destroy
   end
 
   private
-    # Use callbacks to share common setup or constraints between actions.
-    def set_comment
-      @comment = Comment.find(params[:id])
-    end
 
-    # Only allow a list of trusted parameters through.
-    def comment_params
-      params.require(:comment).permit(:author_id, :photo_id, :body)
-    end
+  # Use callbacks to share common setup or constraints between actions.
+  def set_comment
+    @comment = Comment.find(params[:id])
+  end
+
+
+  # Only allow a list of trusted parameters through.
+  def comment_params
+    params.require(:comment).permit(:author_id, :photo_id, :body)
+  end
+
 end

app/controllers/follow_requests_controller.rb

@@ -1,5 +1,6 @@
 class FollowRequestsController < ApplicationController
   before_action :set_follow_request, only: %i[ show edit update destroy ]
+  before_action { authorize @follow_request || FollowRequest }
 
   # GET /follow_requests or /follow_requests.json
   def index
@@ -24,6 +25,7 @@ def create
     @follow_request = FollowRequest.new(follow_request_params)
     @follow_request.sender = current_user
 
+
     respond_to do |format|
       if @follow_request.save
         format.html { redirect_back fallback_location: root_url, notice: "Follow request was successfully created." }
@@ -66,5 +68,6 @@ def set_follow_request
     # Only allow a list of trusted parameters through.
     def follow_request_params
       params.require(:follow_request).permit(:recipient_id, :sender_id, :status)
-    end
+      end
+
 end

app/controllers/photos_controller.rb

@@ -1,11 +1,12 @@
 class PhotosController < ApplicationController
-  before_action :set_photo, only: %i[ show edit update destroy ]
+  before_action :set_photo, only: %i[show edit update destroy]
+  before_action { authorize (@photo || Photo) }
 
   # GET /photos or /photos.json
   def index
     @photos = Photo.all
   end
-
+  # step 14 add authorize / authorize @photo to methods
   # GET /photos/1 or /photos/1.json
   def show
   end
@@ -58,11 +59,12 @@ def destroy
   end
 
   private
-    # Use callbacks to share common setup or constraints between actions.
+    # Use callbacks to share common setup or constraints between actions
     def set_photo
       @photo = Photo.find(params[:id])
     end
 
+
     # Only allow a list of trusted parameters through.
     def photo_params
       params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)

app/controllers/users_controller.rb

@@ -1,13 +1,14 @@
 class UsersController < ApplicationController
   before_action :set_user, only: %i[ show liked feed followers following discover ]
+  before_action { authorize @user || User }
 
   private
-
+  
     def set_user
       if params[:username]
         @user = User.find_by!(username: params.fetch(:username))
       else
         @user = current_user
       end
     end
-end
+end

app/models/comment.rb

@@ -23,5 +23,8 @@ class Comment < ApplicationRecord
   belongs_to :author, class_name: "User", counter_cache: true
   belongs_to :photo, counter_cache: true
 
+  has_one :owner, through: :photo
+
+
   validates :body, presence: true
 end

app/policies/application_policy.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  class Scope
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      raise NotImplementedError, "You must define #resolve in #{self.class}"
+    end
+
+    private
+
+    attr_reader :user, :scope
+  end
+end

app/policies/comment_policy.rb

@@ -0,0 +1,37 @@
+class CommentPolicy < ApplicationPolicy
+  attr_reader :user, :comment
+
+  def initialize(user, comment)
+    @user = user
+    @comment = comment
+  end
+
+    def index?
+      true
+    end
+
+    def show?
+      user == comment.author
+    end
+
+    def create?
+      true
+    end
+
+
+    def update?
+      author?
+    end
+
+
+    def destroy?
+      author?
+    end
+
+    private
+    def author?
+      comment.author == user
+    end
+
+
+end

app/policies/follow_request_policy.rb

@@ -0,0 +1,17 @@
+class FollowRequestPolicy < ApplicationPolicy
+
+
+  def create?
+    true
+  end
+
+
+  def update?
+    (user == record.sender) || (user == record.recipient) 
+  end
+
+  def destroy?
+    (user == record.sender) || (user == record.recipient)
+  end
+
+end

app/policies/photo_policy.rb

@@ -0,0 +1,57 @@
+class PhotoPolicy < ApplicationPolicy
+  class Scope < Scope
+    # NOTE: Be explicit about which records you allow access to!
+    # def resolve
+    #   scope.all
+    # end
+    attr_reader :user, :photo
+
+    def initialize(user, photo)
+      @user = user
+      @photo = photo
+    end
+  end
+
+
+  def index?
+    true
+  end
+
+  # Our policy is that a photo should only be seen by the owner or followers
+  #   of the owner, unless the owner is not private in which case anyone can
+  #   see it
+  def show?
+    user == record.owner ||
+      !record.owner.private? ||
+      record.owner.followers.include?(user)
+  end
+
+  def create?
+    true
+  end
+
+
+
+  # step 11 here: to do add to notes
+  # both update and destroy call on author? to 
+  # check whether to allow that action based on if user is the owner of that account
+
+  def update?
+    author?
+  end
+
+  def destroy?
+    author?
+  end
+
+
+  private
+  def author?
+    record.owner == user
+    # step 12:
+    # equivalent: photo.user == owner
+    # owner because of belongs to relationship to user
+    # fk_rails_...  (owner_id => users.id)
+  end
+
+end

app/policies/user_policy.rb

@@ -0,0 +1,42 @@
+class UserPolicy < ApplicationPolicy
+  attr_reader :current_user, :user
+
+  def initialize(current_user, user)
+    @current_user = current_user
+    @user = user
+  end
+
+    def show?
+      true
+    end
+
+    def feed?
+      current_user_view?
+    end
+
+    def discover?
+      current_user_view?
+    end
+
+    def followers?
+      visible?
+    end
+
+    def following?
+      visible?
+    end
+
+    def liked?
+      visible?
+    end
+
+    def visible?
+      user == current_user || !user.private? ||
+      user.followers.include?(current_user)
+    end
+
+    def current_user_view?
+      user == current_user
+    end
+
+end