From 0ad5619484323ff7d418e514968b859e4ae77c10 Mon Sep 17 00:00:00 2001 From: evazion Date: Tue, 24 Mar 2020 00:38:07 -0500 Subject: [PATCH] pundit: add missing `authorize` calls. --- app/controllers/forum_posts_controller.rb | 2 +- app/controllers/forum_topics_controller.rb | 2 +- app/controllers/ip_addresses_controller.rb | 2 +- app/policies/forum_post_policy.rb | 4 ++++ app/policies/forum_topic_policy.rb | 4 ++++ 5 files changed, 11 insertions(+), 3 deletions(-) diff --git a/app/controllers/forum_posts_controller.rb b/app/controllers/forum_posts_controller.rb index df230463d..53af4054b 100644 --- a/app/controllers/forum_posts_controller.rb +++ b/app/controllers/forum_posts_controller.rb @@ -13,7 +13,7 @@ class ForumPostsController < ApplicationController end def index - @forum_posts = ForumPost.visible(CurrentUser.user).paginated_search(params) + @forum_posts = authorize ForumPost.visible(CurrentUser.user).paginated_search(params) @forum_posts = @forum_posts.includes(:topic, :creator) if request.format.html? respond_with(@forum_posts) diff --git a/app/controllers/forum_topics_controller.rb b/app/controllers/forum_topics_controller.rb index 82d66f722..49e1edd73 100644 --- a/app/controllers/forum_topics_controller.rb +++ b/app/controllers/forum_topics_controller.rb @@ -20,7 +20,7 @@ class ForumTopicsController < ApplicationController params[:search][:order] ||= "sticky" if request.format.html? params[:limit] ||= 40 - @forum_topics = ForumTopic.visible(CurrentUser.user).paginated_search(params) + @forum_topics = authorize ForumTopic.visible(CurrentUser.user).paginated_search(params) if request.format.atom? @forum_topics = @forum_topics.includes(:creator, :original_post) diff --git a/app/controllers/ip_addresses_controller.rb b/app/controllers/ip_addresses_controller.rb index 98c070278..11a592b01 100644 --- a/app/controllers/ip_addresses_controller.rb +++ b/app/controllers/ip_addresses_controller.rb @@ -16,7 +16,7 @@ class IpAddressesController < ApplicationController end def show - @ip_address = IpAddress.new(ip_addr: params[:id]) + @ip_address = authorize IpAddress.new(ip_addr: params[:id]) @ip_info = @ip_address.lookup.info respond_with(@ip_info) end diff --git a/app/policies/forum_post_policy.rb b/app/policies/forum_post_policy.rb index 69e31fa34..14e315e9c 100644 --- a/app/policies/forum_post_policy.rb +++ b/app/policies/forum_post_policy.rb @@ -1,4 +1,8 @@ class ForumPostPolicy < ApplicationPolicy + def index? + true + end + def show? user.level >= record.topic.min_level end diff --git a/app/policies/forum_topic_policy.rb b/app/policies/forum_topic_policy.rb index 43b96fdcb..0dd88b71a 100644 --- a/app/policies/forum_topic_policy.rb +++ b/app/policies/forum_topic_policy.rb @@ -1,4 +1,8 @@ class ForumTopicPolicy < ApplicationPolicy + def index? + true + end + def show? user.level >= record.min_level end