diff --git a/Gemfile b/Gemfile index 9eebefb9..2b366653 100644 --- a/Gemfile +++ b/Gemfile @@ -3,6 +3,9 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" } ruby "3.2.1" + +gem 'pundit' + gem "simple_form" # Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main" diff --git a/Gemfile.lock b/Gemfile.lock index 42668dd8..e73e59d4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -233,6 +233,8 @@ GEM public_suffix (5.0.1) puma (5.6.5) nio4r (~> 2.0) + pundit (2.3.1) + activesupport (>= 3.0.0) racc (1.6.2) rack (2.2.7) rack-protection (3.0.6) @@ -425,6 +427,7 @@ DEPENDENCIES pg (~> 1.1) pry-rails puma (~> 5.0) + pundit rails (~> 7.0.4, >= 7.0.4.3) rails-erd rails_db diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index bd664b1d..a9af0a78 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,12 +1,27 @@ class ApplicationController < ActionController::Base + include Pundit + + after_action :verify_authorized, unless: :devise_controller? + after_action :verify_policy_scoped, only: :index, unless: :devise_controller? + before_action :authenticate_user! - + before_action :configure_permitted_parameters, if: :devise_controller? - + protected - + def configure_permitted_parameters devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image]) devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image]) end + + rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized + + private + + def user_not_authorized + flash[:alert] = "You are not authorized to perform this action." + + redirect_back fallback_location: root_url + end end diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 046a8e5d..c5330e4d 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -1,6 +1,6 @@ class CommentsController < ApplicationController before_action :set_comment, only: %i[ show edit update destroy ] - + before_action :is_an_authorized_user, only: [:destroy, :create] # GET /comments or /comments.json def index @comments = Comment.all @@ -58,13 +58,21 @@ def destroy end private - # Use callbacks to share common setup or constraints between actions. - def set_comment - @comment = Comment.find(params[:id]) - end - # Only allow a list of trusted parameters through. - def comment_params - params.require(:comment).permit(:author_id, :photo_id, :body) + # Use callbacks to share common setup or constraints between actions. + def set_comment + @comment = Comment.find(params[:id]) + end + + def is_an_authorized_user + @photo = Photo.find(params.fetch(:comment).fetch(:photo_id)) + if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner) + redirect_back fallback_location: root_url, alert: "Not authorized" end + end + + # Only allow a list of trusted parameters through. + def comment_params + params.require(:comment).permit(:author_id, :photo_id, :body) + end end diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb index 78e53163..f945bc1d 100644 --- a/app/controllers/photos_controller.rb +++ b/app/controllers/photos_controller.rb @@ -1,5 +1,7 @@ class PhotosController < ApplicationController before_action :set_photo, only: %i[ show edit update destroy ] + before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit] + # before_action :ensure_user_is_authorized, only: [:show] # GET /photos or /photos.json def index @@ -8,6 +10,7 @@ def index # GET /photos/1 or /photos/1.json def show + authorize @photo end # GET /photos/new @@ -50,21 +53,39 @@ def update # DELETE /photos/1 or /photos/1.json def destroy - @photo.destroy - respond_to do |format| - format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." } - format.json { head :no_content } + if current_user == @photo.owner + @photo.destroy + + respond_to do |format| + format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." } + format.json { head :no_content } + end + else + redirect_back(fallback_location: root_url, notice: "Nice try, but that is not your photo.") end end private - # Use callbacks to share common setup or constraints between actions. - def set_photo - @photo = Photo.find(params[:id]) - end - # Only allow a list of trusted parameters through. - def photo_params - params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id) + # Use callbacks to share common setup or constraints between actions. + def set_photo + @photo = Photo.find(params[:id]) + end + + def ensure_current_user_is_owner + if current_user != @photo.owner + redirect_back fallback_location: root_url, alert: "You're not authorized for that." end + end + + # Only allow a list of trusted parameters through. + def photo_params + params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id) + end + + # def ensure_user_is_authorized + # if !PhotoPolicy.new(current_user, @photo).show? + # raise Pundit::NotAuthorizedError, "not allowed" + # end + # end end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 31db66e9..80f8c476 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,5 +1,6 @@ class UsersController < ApplicationController before_action :set_user, only: %i[ show liked feed followers following discover ] + before_action { authorize(@user || User) } private @@ -10,4 +11,4 @@ def set_user @user = current_user end end -end \ No newline at end of file +end diff --git a/app/models/comment.rb b/app/models/comment.rb index 14a8eb00..bc318e2c 100644 --- a/app/models/comment.rb +++ b/app/models/comment.rb @@ -22,6 +22,6 @@ class Comment < ApplicationRecord belongs_to :author, class_name: "User", counter_cache: true belongs_to :photo, counter_cache: true - + has_one :owner, through: :photo validates :body, presence: true end diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb new file mode 100644 index 00000000..e000cba5 --- /dev/null +++ b/app/policies/application_policy.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +class ApplicationPolicy + attr_reader :user, :record + + def initialize(user, record) + @user = user + @record = record + end + + def index? + false + end + + def show? + false + end + + def create? + false + end + + def new? + create? + end + + def update? + false + end + + def edit? + update? + end + + def destroy? + false + end + + class Scope + def initialize(user, scope) + @user = user + @scope = scope + end + + def resolve + raise NotImplementedError, "You must define #resolve in #{self.class}" + end + + private + + attr_reader :user, :scope + end +end diff --git a/app/policies/photo_policy.rb b/app/policies/photo_policy.rb new file mode 100644 index 00000000..1dfaa3d1 --- /dev/null +++ b/app/policies/photo_policy.rb @@ -0,0 +1,16 @@ +# app/policies/photo_policy.rb + +class PhotoPolicy < ApplicationPolicy + attr_reader :user, :photo + + def initialize(user, photo) + @user = user + @photo = photo + end + + def show? + user == photo.owner || + !photo.owner.private? || + photo.owner.followers.include?(user) + end +end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb new file mode 100644 index 00000000..9b9d78be --- /dev/null +++ b/app/policies/user_policy.rb @@ -0,0 +1,20 @@ +# app/policies/user_policy.rb + +class UserPolicy < ApplicationPolicy + attr_reader :current_user, :user + + def initialize(current_user, user) + @current_user = current_user + @user = user + end + + def feed? + true + end + + def show? + user == current_user || + !user.private? || + user.followers.include?(current_user) + end +end diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb index f0de50b8..400591e5 100644 --- a/app/views/photos/_photo.html.erb +++ b/app/views/photos/_photo.html.erb @@ -1,3 +1,5 @@ + +

@@ -7,13 +9,16 @@

- <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %> - - <% end %> + <% if current_user == photo.owner %> + <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %> + + <% end %> - <%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %> - + <%= link_to photo, method: :delete, class: "btn btn-link btn-sm text-muted" do %> + + <% end %> <% end %> +
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index 5656d7d5..67265608 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -1,19 +1,23 @@ + +
<%= render "users/user", user: @user %>
-
-
- <%= render "users/profile_nav", user: @user %> -
-
- -<% @user.own_photos.each do |photo| %> -
+<% if policy(@user).show? %> +
- <%= render "photos/photo", photo: photo %> + <%= render "users/profile_nav", user: @user %>
+ + <% @user.own_photos.each do |photo| %> +
+
+ <%= render "photos/photo", photo: photo %> +
+
+ <% end %> <% end %> diff --git a/config/environments/development.rb b/config/environments/development.rb index 79e0b793..399124c1 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -2,7 +2,8 @@ Rails.application.configure do config.action_mailer.default_url_options = { host: 'localhost', port: 3000 } - # Allow better_errors to work in online IDE + config.hosts.clear + # Allow better_errors to work in online IDE config.web_console.whitelisted_ips = "0.0.0.0/0.0.0.0" BetterErrors::Middleware.allow_ip! "0.0.0.0/0.0.0.0" # Auto-connect to database when rails console opens diff --git a/config/routes.rb b/config/routes.rb index 47050a54..c8620ed5 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -4,14 +4,14 @@ devise_for :users resources :comments - resources :follow_requests - resources :likes - resources :photos - + resources :follow_requests, except: [:index, :show, :new, :edit] + resources :likes, only: [:create, :destroy] + resources :photos, except: [:index] + get ":username" => "users#show", as: :user get ":username/liked" => "users#liked", as: :liked get ":username/feed" => "users#feed", as: :feed get ":username/discover" => "users#discover", as: :discover get ":username/followers" => "users#followers", as: :followers get ":username/following" => "users#following", as: :following -end \ No newline at end of file +end diff --git a/lib/tasks/dev.rake b/lib/tasks/dev.rake index 41cc320e..6c9c7580 100644 --- a/lib/tasks/dev.rake +++ b/lib/tasks/dev.rake @@ -15,7 +15,7 @@ task sample_data: :environment do } end - people << { first_name: "Alice", last_name: "Smith" } + people << { first_name: "Alice", last_name: "Smith", private: true } people << { first_name: "Bob", last_name: "Smith" } people << { first_name: "Carol", last_name: "Smith" } people << { first_name: "Doug", last_name: "Smith" }