policies: remove current request from context.

This refactors Pundit policies to only rely on the current user, not on
the current user and the current HTTP request. In retrospect, it was a
bad idea to include the current request in the Pundit context. It bleeds
out everywhere and there are many contexts (in tests and models) where
we only have the current user, not the current request. The previous
commit got rid of the only two places where we used it.

app/models/application_record.rb

@@ -57,13 +57,13 @@ class ApplicationRecord < ActiveRecord::Base
 
     # XXX deprecated, shouldn't expose this as an instance method.
     def api_attributes(user: CurrentUser.user)
-      policy = Pundit.policy([user, nil], self) || ApplicationPolicy.new([user, nil], self)
+      policy = Pundit.policy(user, self) || ApplicationPolicy.new(user, self)
       policy.api_attributes
     end
 
     # XXX deprecated, shouldn't expose this as an instance method.
     def html_data_attributes(user: CurrentUser.user)
-      policy = Pundit.policy([user, nil], self) || ApplicationPolicy.new([user, nil], self)
+      policy = Pundit.policy(user, self) || ApplicationPolicy.new(user, self)
       policy.html_data_attributes
     end
 

app/models/pool.rb

@@ -144,7 +144,7 @@ class Pool < ApplicationRecord
   end
 
   def updater_can_edit_deleted
-    if is_deleted? && !Pundit.policy!([CurrentUser.user, nil], self).update?
+    if is_deleted? && !Pundit.policy!(CurrentUser.user, self).update?
       errors.add(:base, "You cannot update pools that are deleted")
     end
   end

app/models/post.rb

@@ -668,12 +668,12 @@ class Post < ApplicationRecord
 
         when /^-favgroup:(.+)$/i
           favgroup = FavoriteGroup.find_by_name_or_id!($1, CurrentUser.user)
-          raise User::PrivilegeError unless Pundit.policy!([CurrentUser.user, nil], favgroup).update?
+          raise User::PrivilegeError unless Pundit.policy!(CurrentUser.user, favgroup).update?
           favgroup&.remove!(self)
 
         when /^favgroup:(.+)$/i
           favgroup = FavoriteGroup.find_by_name_or_id!($1, CurrentUser.user)
-          raise User::PrivilegeError unless Pundit.policy!([CurrentUser.user, nil], favgroup).update?
+          raise User::PrivilegeError unless Pundit.policy!(CurrentUser.user, favgroup).update?
           favgroup&.add!(self)
 
         end
@@ -779,7 +779,7 @@ class Post < ApplicationRecord
 
     def add_favorite!(user)
       Favorite.add(post: self, user: user)
-      vote!("up", user) if Pundit.policy!([user, nil], PostVote).create?
+      vote!("up", user) if Pundit.policy!(user, PostVote).create?
     rescue PostVote::Error
     end
 
@@ -789,7 +789,7 @@ class Post < ApplicationRecord
 
     def remove_favorite!(user)
       Favorite.remove(post: self, user: user)
-      unvote!(user) if Pundit.policy!([user, nil], PostVote).create?
+      unvote!(user) if Pundit.policy!(user, PostVote).create?
     rescue PostVote::Error
     end
 
@@ -803,7 +803,7 @@ class Post < ApplicationRecord
     # Users who publicly favorited this post, ordered by time of favorite.
     def visible_favorited_users(viewer)
       favorited_users.order("favorites.id DESC").select do |fav_user|
-        Pundit.policy!([viewer, nil], fav_user).can_see_favorites?
+        Pundit.policy!(viewer, fav_user).can_see_favorites?
       end
     end
 
@@ -876,7 +876,7 @@ class Post < ApplicationRecord
     end
 
     def vote!(vote, voter = CurrentUser.user)
-      unless Pundit.policy!([voter, nil], PostVote).create?
+      unless Pundit.policy!(voter, PostVote).create?
         raise PostVote::Error.new("You do not have permission to vote")
       end
 

app/models/post_event.rb

@@ -56,7 +56,7 @@ class PostEvent
       true
     when PostFlag
       flag = event
-      Pundit.policy!([user, nil], flag).can_view_flagger?
+      Pundit.policy!(user, flag).can_view_flagger?
     end
   end
 

app/models/post_flag.rb

@@ -31,7 +31,7 @@ class PostFlag < ApplicationRecord
     def creator_matches(creator, searcher)
       return none if creator.nil?
 
-      policy = Pundit.policy!([searcher, nil], PostFlag.new(creator: creator))
+      policy = Pundit.policy!(searcher, PostFlag.new(creator: creator))
 
       if policy.can_view_flagger?
         where(creator: creator).where.not(post: searcher.posts)

app/models/tag.rb

@@ -204,7 +204,7 @@ class Tag < ApplicationRecord
             # next few lines if the category is changed.
             tag.update_category_cache
 
-            if Pundit.policy!([creator, nil], tag).can_change_category?
+            if Pundit.policy!(creator, tag).can_change_category?
               tag.update(category: category_id)
             end
           end