Url validation and Authorisation #48
Conversation
app/policies/collection_policy.rb
Outdated
| def destroy? | ||
| record.user == user | ||
| end | ||
| end |
config/locales/en.yml
Outdated
| @@ -21,3 +21,4 @@ | |||
|
|
|||
| en: | |||
| hello: "Hello world" | |||
|
|
|||
There was a problem hiding this comment.
Rubocop warns about not having newline at end of file. Either way, the last line shouldn't have the indentation.
app/services/collections/delete.rb
Outdated
| @@ -19,6 +19,7 @@ def call | |||
| attr_reader :user, :collection | |||
|
|
|||
| def delete_collection | |||
| Pundit.authorize(user, collection, :destroy?) | |||
There was a problem hiding this comment.
This should be done in the controller, not here.
app/services/websites/create.rb
Outdated
| @@ -1,3 +1,4 @@ | |||
| # frozen_string_literal: true | |||
There was a problem hiding this comment.
Not needed. Ignore this warning if rubocop shows it.
app/validators/url_validator.rb
Outdated
| false | ||
| end | ||
|
|
||
| def valid_host? host |
There was a problem hiding this comment.
Parentheses around args.
There was a problem hiding this comment.
Afaik rubocop suggests to not use parenthesis if the number of arguments are 1
There was a problem hiding this comment.
I doubt that. Rubocop follows bbatsov's styleguide, which prefers parentheses all the time, and I don't remember seeing a warning about this even though I always use parens around single args.
Maybe you're thinking about the case where there are no args?
app/validators/url_validator.rb
Outdated
| host.present? && valid_characters?(host) | ||
| end | ||
|
|
||
| def valid_characters? host |
There was a problem hiding this comment.
Parentheses around args.
app/models/website.rb
Outdated
| class Website < ApplicationRecord | ||
| before_validation :add_protocol_to_website | ||
| validates :url, url: true |
There was a problem hiding this comment.
Group different types of statements (callbacks, validations, associations, etc) together, and separate them by empty lines.
|
@Nimmyjv When you submit a PR that fixes a specific issue, please add "fixes #issueNo" in the description. It will be automatically connected to it. |
app/models/website.rb
Outdated
| @@ -38,6 +40,6 @@ def fetch_meta_description | |||
| private | |||
|
|
|||
| def add_protocol_to_website | |||
| self.url = (self.url[/^http:\/\//] || self.url[/^https:\/\//]) ? self.url : "http://#{self.url}" | |||
| self.url = url[/^http:\/\//] || url[/^https:\/\//] ? url : "http://#{url}" | |||
There was a problem hiding this comment.
This is difficult to read. In Leo, we rewrote it like this:
def add_protocol_to_url
return if protocol_present?
self.url = "https://#{url}"
end
def protocol_present?
return false if url.blank?
url[/^http:\/\//] || url[/^https:\/\//]
end| @@ -1,3 +1,4 @@ | |||
|
|
|||
app/policies/collection_policy.rb
Outdated
| @@ -1,6 +1,6 @@ | |||
| # frozen_string_literal: true | |||
There was a problem hiding this comment.
As mentioned before, remove this and ignore frozen_string_literal warnings from rubocop. Also, edit rubocop.yml to ignore these warnings.
| @@ -1,3 +1,4 @@ | |||
| # frozen_string_literal: true | |||
| @@ -7,7 +7,9 @@ def create | |||
| end | |||
|
|
|||
| def destroy | |||
| Collections::Delete.call(params[:id], current_user) | |||
| collection = Collection.find(params[:id]) | |||
| Pundit.authorize(current_user, collection, :destroy?) | |||
There was a problem hiding this comment.
Is Pundit. required? authorize(...) works, I believe.
app/services/collections/delete.rb
Outdated
| @@ -19,7 +19,7 @@ def call | |||
| attr_reader :user, :collection | |||
|
|
|||
| def delete_collection | |||
| CollectionWebsite.where('collection_id = ?', collection.id).destroy_all | |||
| CollectionWebsite.where(collection_id: collection.id).destroy_all | |||
There was a problem hiding this comment.
Can't this be achieved by doing dependent: destroy on has_many :collection_websites?
|
LGTM. 👍 |
|
|
||
| def user_not_authorized | ||
| flash[:alert] = 'You are not authorized to perform this action.' | ||
| redirect_to(request.referer || root_path) |
There was a problem hiding this comment.
You can write this like redirect_back(fallback_location: root_path)
…edpanthers.co is added it is stored as http://redpanthers.co When again redpanthers.co added to the same list, it was added because it is compared with http://redpanthers.co To prevent this, when url is added itself, it is checked whether starts with http or https. Else, http is added and then compared
…ethod has been added called redirect_back.
| @@ -1,4 +1,4 @@ | |||
| $(document).ready(function() { | |||
| $(document).ready(function() { | |||
app/models/invite.rb
Outdated
| @@ -1,5 +1,4 @@ | |||
| class Invite < ApplicationRecord | |||
| has_secure_token | |||
|
|
|||
There was a problem hiding this comment.
Leave a blank line between different kind of declarations.
app/models/invite.rb
Outdated
| @@ -1,5 +1,5 @@ | |||
| class Invite < ApplicationRecord | |||
| has_secure_token | |||
|
|
|||
|
|
There was a problem hiding this comment.
Trailing whitespace, and unnecessary 2nd blank line.
app/services/websites/create.rb
Outdated
| url | ||
| else | ||
| "http://#{url}" | ||
| end |
There was a problem hiding this comment.
Extract the condition out, so you can rewrite it like this:
url = "http://#{url}" unless protocol_given?(url)
db/seeds.rb
Outdated
| @@ -20,4 +25,4 @@ | |||
| end | |||
| end | |||
|
|
|||
| AdminUser.create!(email: '[email protected]', password: 'password', password_confirmation: 'password') | |||
| AdminUser.first_or_create!(email: '[email protected]', password: 'password', password_confirmation: 'password') | |||
There was a problem hiding this comment.
Do we really need first_or_create in seeds.rb? It is only run in an empty database, right?
db/seeds.rb
Outdated
|
|
||
| urls.each do |url| | ||
| user.websites.create!(url: url) | ||
| user = User.first_or_create!(name: 'abc', email: '[email protected]', password: '123456', password_confirmation: '123456') |
There was a problem hiding this comment.
Whitespace in the middle of line.
db/seeds.rb
Outdated
| collection = user.collections.create!(name: name) | ||
| urls.each do |url| | ||
| collection.websites.create!(url: url) | ||
| end | ||
| end |
There was a problem hiding this comment.
In seeds.rb, you don't really need all this complexity, since you know what data you want to add. You can write it like this:
user = User.create!(name: 'abc', email: '[email protected]', password: '123456', password_confirmation: '123456')
collection = user.collections.create!(name: 'First Collection')
collection.websites.create!(url: 'https://redpanthers.co')When adding seed data, it would be good to add valid url, since you will be using it in development.
| Websites::Create.call(params, user) | ||
|
|
||
| user.reload | ||
| assert_equal 1, user.site_number, 'site number' |
There was a problem hiding this comment.
Does this field contain number of websites a user has? Then can we call it websites_count instead? This seems an awkward name for the field.
(Do this in a separate PR rather than mixing these.)
app/services/websites/create.rb
Outdated
|
|
||
| def protocol_given?(url) | ||
| url if (url.start_with? 'http://') || (url.start_with? 'https://') | ||
| end |
There was a problem hiding this comment.
Don't return url. A method ending with ? should return true or false.
| <% end %> | ||
| <% end %> | ||
| <% if collection_nil.empty? %> | ||
| <% @collection_names.any? %> |
There was a problem hiding this comment.
What does this do? It just seems to return true or false and render nothing.
| @@ -11,7 +11,7 @@ class CreateTest < ActiveSupport::TestCase | |||
| Websites::Create.call(params, user) | |||
|
|
|||
| user.reload | |||
| assert_equal 1, user.site_number, 'site number' | |||
| assert_equal 1, user.websites.count, 'websites_count' | |||
There was a problem hiding this comment.
I meant renaming site_number to websites_count since that is more accurately describing what it contains, not user.websites.count.
No description provided.