From 3bb3c0b990e070b6f2ef14a37e160091fb44256e Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Fri, 20 Mar 2020 00:12:05 -0500
Subject: [PATCH] pundit: convert saved searches to pundit.

---
 app/controllers/saved_searches_controller.rb  | 25 ++++------
 app/models/saved_search.rb                    |  2 +-
 app/policies/saved_search_policy.rb           | 21 +++++++++
 .../saved_searches_controller_test.rb         | 46 ++++++++++++-------
 4 files changed, 60 insertions(+), 34 deletions(-)
 create mode 100644 app/policies/saved_search_policy.rb

diff --git a/app/controllers/saved_searches_controller.rb b/app/controllers/saved_searches_controller.rb
index 716d21d73..a946e34c8 100644
--- a/app/controllers/saved_searches_controller.rb
+++ b/app/controllers/saved_searches_controller.rb
@@ -2,43 +2,36 @@ class SavedSearchesController < ApplicationController
   respond_to :html, :xml, :json, :js
 
   def index
-    @saved_searches = saved_searches.paginated_search(params, count_pages: true)
+    @saved_searches = authorize SavedSearch.where(user: CurrentUser.user).paginated_search(params, count_pages: true)
     respond_with(@saved_searches)
   end
 
   def labels
+    authorize SavedSearch
     @labels = SavedSearch.search_labels(CurrentUser.id, params[:search]).take(params[:limit].to_i || 10)
     respond_with(@labels)
   end
 
   def create
-    @saved_search = saved_searches.create(saved_search_params)
+    @saved_search = authorize SavedSearch.new(user: CurrentUser.user, **permitted_attributes(SavedSearch))
+    @saved_search.save
     respond_with(@saved_search)
   end
 
   def destroy
-    @saved_search = saved_searches.find(params[:id])
+    @saved_search = authorize SavedSearch.find(params[:id])
     @saved_search.destroy
     respond_with(@saved_search)
   end
 
   def edit
-    @saved_search = saved_searches.find(params[:id])
+    @saved_search = authorize SavedSearch.find(params[:id])
+    respond_with(@saved_search)
   end
 
   def update
-    @saved_search = saved_searches.find(params[:id])
-    @saved_search.update(saved_search_params)
+    @saved_search = authorize SavedSearch.find(params[:id])
+    @saved_search.update(permitted_attributes(@saved_search))
     respond_with(@saved_search, :location => saved_searches_path)
   end
-
-  private
-
-  def saved_searches
-    CurrentUser.user.saved_searches
-  end
-
-  def saved_search_params
-    params.fetch(:saved_search, {}).permit(%i[query label_string disable_labels])
-  end
 end
diff --git a/app/models/saved_search.rb b/app/models/saved_search.rb
index 548201648..ae59f367f 100644
--- a/app/models/saved_search.rb
+++ b/app/models/saved_search.rb
@@ -169,7 +169,7 @@ class SavedSearch < ApplicationRecord
   end
 
   def disable_labels=(value)
-    CurrentUser.update(disable_categorized_saved_searches: true) if value.to_s.truthy?
+    user.update(disable_categorized_saved_searches: true) if value.to_s.truthy?
   end
 
   def self.available_includes
diff --git a/app/policies/saved_search_policy.rb b/app/policies/saved_search_policy.rb
new file mode 100644
index 000000000..f8671fb37
--- /dev/null
+++ b/app/policies/saved_search_policy.rb
@@ -0,0 +1,21 @@
+class SavedSearchPolicy < ApplicationPolicy
+  def index?
+    user.is_member?
+  end
+
+  def create?
+    user.is_member?
+  end
+
+  def update?
+    record.user_id == user.id
+  end
+
+  def labels?
+    index?
+  end
+
+  def permitted_attributes
+    [:query, :label_string, :disable_labels]
+  end
+end
diff --git a/test/functional/saved_searches_controller_test.rb b/test/functional/saved_searches_controller_test.rb
index d042139e2..f5a703579 100644
--- a/test/functional/saved_searches_controller_test.rb
+++ b/test/functional/saved_searches_controller_test.rb
@@ -4,9 +4,7 @@ class SavedSearchesControllerTest < ActionDispatch::IntegrationTest
   context "The saved searches controller" do
     setup do
       @user = create(:user)
-      as_user do
-        @saved_search = create(:saved_search, user: @user)
-      end
+      @saved_search = create(:saved_search, user: @user)
     end
 
     context "index action" do
@@ -17,24 +15,29 @@ class SavedSearchesControllerTest < ActionDispatch::IntegrationTest
       end
     end
 
+    context "labels action" do
+      should "render" do
+        get_auth labels_saved_searches_path, @user, as: :json
+        assert_response :success
+      end
+    end
+
     context "create action" do
       should "render" do
         post_auth saved_searches_path, @user, params: { saved_search: { query: "bkub", label_string: "artist" }}
-        assert_response :redirect
+        assert_redirected_to SavedSearch.last
       end
 
       should "disable labels when the disable_labels param is given" do
         post_auth saved_searches_path, @user, params: { saved_search: { query: "bkub", disable_labels: "1" }}
+        assert_redirected_to SavedSearch.last
         assert_equal(true, @user.reload.disable_categorized_saved_searches)
       end
     end
 
     context "edit action" do
       should "render" do
-        as_user do
-          @saved_search = create(:saved_search, user: @user)
-        end
-
+        @saved_search = create(:saved_search, user: @user)
         get_auth edit_saved_search_path(@saved_search), @user, params: { id: @saved_search.id }
         assert_response :success
       end
@@ -42,24 +45,33 @@ class SavedSearchesControllerTest < ActionDispatch::IntegrationTest
 
     context "update action" do
       should "render" do
-        as_user do
-          @saved_search = create(:saved_search, user: @user)
-        end
-        params = { id: @saved_search.id, saved_search: { label_string: "foo" } }
-        put_auth saved_search_path(@saved_search), @user, params: params
+        put_auth saved_search_path(@saved_search), @user, params: { saved_search: { label_string: "foo" }}
         assert_redirected_to saved_searches_path
         assert_equal(["foo"], @saved_search.reload.labels)
       end
+
+      should "not allow users to update saved searches belonging to other users" do
+        put_auth saved_search_path(@saved_search), create(:user), params: { saved_search: { label_string: "foo" }}
+        assert_response 403
+        assert_not_equal(["foo"], @saved_search.reload.labels)
+      end
     end
 
     context "destroy action" do
       should "render" do
-        as_user do
-          @saved_search = create(:saved_search, user: @user)
+        @saved_search = create(:saved_search, user: @user)
+        assert_difference("SavedSearch.count", -1) do
+          delete_auth saved_search_path(@saved_search), @user
+          assert_redirected_to saved_searches_path
         end
+      end
 
-        delete_auth saved_search_path(@saved_search), @user
-        assert_redirected_to saved_searches_path
+      should "not allow users to destroy saved searches belonging to other users" do
+        @saved_search = create(:saved_search, user: @user)
+        assert_difference("SavedSearch.count", 0) do
+          delete_auth saved_search_path(@saved_search), create(:user)
+          assert_response 403
+        end
       end
     end
   end