pundit: convert tags to pundit.

2020-03-17 17:35:59 -05:00
parent 4cd0b2cbfe
commit 4bb036aff1
6 changed files with 27 additions and 31 deletions
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@@ -1,15 +1,13 @@
 class TagsController < ApplicationController
-  before_action :member_only, :only => [:edit, :update]
  respond_to :html, :xml, :json

  def edit
-    @tag = Tag.find(params[:id])
-    check_privilege(@tag)
+    @tag = authorize Tag.find(params[:id])
    respond_with(@tag)
  end

  def index
-    @tags = Tag.paginated_search(params, hide_empty: true)
+    @tags = authorize Tag.paginated_search(params, hide_empty: true)
    @tags = @tags.includes(:consequent_aliases) if request.format.html?
    respond_with(@tags)
  end
@@ -27,27 +25,13 @@ class TagsController < ApplicationController
  end

  def show
-    @tag = Tag.find(params[:id])
+    @tag = authorize Tag.find(params[:id])
    respond_with(@tag)
  end

  def update
-    @tag = Tag.find(params[:id])
-    check_privilege(@tag)
-    @tag.update(tag_params)
+    @tag = authorize Tag.find(params[:id])
+    @tag.update(permitted_attributes(@tag))
    respond_with(@tag)
  end
-
-  private
-
-  def check_privilege(tag)
-    raise User::PrivilegeError unless tag.editable_by?(CurrentUser.user)
-  end
-
-  def tag_params
-    permitted_params = [:category]
-    permitted_params << :is_locked if CurrentUser.is_moderator?
-
-    params.require(:tag).permit(permitted_params)
-  end
 end
--- a/app/models/tag.rb
+++ b/app/models/tag.rb
@@ -210,7 +210,7 @@ class Tag < ApplicationRecord
            # next few lines if the category is changed.
            tag.update_category_cache

-            if tag.editable_by?(creator)
+            if Pundit.policy!([creator, nil], tag).can_change_category?
              tag.update(category: category_id)
            end
          end
@@ -382,13 +382,6 @@ class Tag < ApplicationRecord
    cosplay_tags.grep(/\A(.+)_\(cosplay\)\Z/) { "#{TagAlias.to_aliased([$1]).first}_(cosplay)" } + other_tags
  end

-  def editable_by?(user)
-    return true if user.is_admin?
-    return true if !is_locked? && user.is_builder? && post_count < 1_000
-    return true if !is_locked? && user.is_member? && post_count < 50
-    return false
-  end
-
  def posts
    Post.tag_match(name)
  end
--- a/app/policies/tag_policy.rb
+++ b/app/policies/tag_policy.rb
@@ -0,0 +1,15 @@
+class TagPolicy < ApplicationPolicy
+  def can_change_category?
+    user.is_admin? ||
+      (user.is_builder? && !record.is_locked? && record.post_count < 1_000) ||
+      (user.is_member? && !record.is_locked? && record.post_count < 50)
+  end
+
+  def can_lock?
+    user.is_moderator?
+  end
+
+  def permitted_attributes
+    [(:category if can_change_category?), (:is_locked if can_lock?)].compact
+  end
+end
--- a/app/views/tags/edit.html.erb
+++ b/app/views/tags/edit.html.erb
@@ -9,7 +9,7 @@
        <%= f.input :category, :collection => TagCategory.canonical_mapping.to_a, :include_blank => false %>
      <% end %>

-      <% if CurrentUser.is_moderator? %>
+      <% if policy(@tag).can_lock? %>
        <%= f.input :is_locked, :collection => [["No", "false"], ["Yes", "true"]], :include_blank => false %>
      <% end %>

--- a/app/views/tags/index.html.erb
+++ b/app/views/tags/index.html.erb
@@ -16,7 +16,9 @@
        <% end %>
      <% end %>
      <% t.column column: "control" do |tag| %>
-        <%= link_to_if tag.editable_by?(CurrentUser.user), "Edit", edit_tag_path(tag) %> |
+        <% if policy(tag).update? %>
+          <%= link_to "Edit", edit_tag_path(tag) %> |
+        <% end %>
        <%= link_to "History", post_versions_path(search: { changed_tags: tag.name }) %> |
        <%= link_to "Related", related_tag_path(search: { query: tag.name }) %> |
        <%= link_to "Similar", tags_path(search: { fuzzy_name_matches: tag.name, order: :similarity }) %>
--- a/test/functional/tags_controller_test.rb
+++ b/test/functional/tags_controller_test.rb
@@ -86,6 +86,7 @@ class TagsControllerTest < ActionDispatch::IntegrationTest
      should "not lock the tag for a user" do
        put_auth tag_path(@tag), @user, params: {tag: { is_locked: true }}

+        assert_response 403
        assert_equal(false, @tag.reload.is_locked)
      end

@@ -100,6 +101,7 @@ class TagsControllerTest < ActionDispatch::IntegrationTest
          @member = create(:member_user)
          put_auth tag_path(@tag), @member, params: {tag: { category: Tag.categories.general }}

+          assert_response 403
          assert_not_equal(Tag.categories.general, @tag.reload.category)
        end