jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pundit: convert user name change requests to pundit.

Browse Source 
Fix discrepancy between index action and show action. The index
action allowed members to see name changes for undeleted users, but the
show action didn't.
This commit is contained in:
evazion
2020-03-17 05:17:57 -05:00
parent db63b6d44f
commit 565a6572a7
5 changed files with 39 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
app/controllers/user_name_change_requests_controller.rb
View File

@@ -1,37 +1,25 @@
class UserNameChangeRequestsController < ApplicationController
before_action :member_only, :only => [:index, :show, :new, :create]
respond_to :html, :json, :xml
def new
@change_request = UserNameChangeRequest.new(change_request_params)
@change_request = authorize UserNameChangeRequest.new(permitted_attributes(UserNameChangeRequest))
respond_with(@change_request)
end
def create
@change_request = UserNameChangeRequest.create_with(user: CurrentUser.user, original_name: CurrentUser.name).create(change_request_params)
@change_request = authorize UserNameChangeRequest.new(user: CurrentUser.user, original_name: CurrentUser.name)
@change_request.update(permitted_attributes(@change_request))
flash[:notice] = "Your name has been changed" if @change_request.valid?
respond_with(@change_request, location: profile_path)
end
def show
@change_request = UserNameChangeRequest.find(params[:id])
check_privileges!(@change_request)
@change_request = authorize UserNameChangeRequest.find(params[:id])
respond_with(@change_request)
end
def index
@change_requests = UserNameChangeRequest.visible(CurrentUser.user).order("id desc").paginate(params[:page], :limit => params[:limit])
@change_requests = authorize UserNameChangeRequest.visible(CurrentUser.user).order("id desc").paginate(params[:page], :limit => params[:limit])
respond_with(@change_requests)
end
private
def check_privileges!(change_request)
return if CurrentUser.is_admin?
raise User::PrivilegeError if change_request.user_id != CurrentUser.user.id
end
def change_request_params
params.fetch(:user_name_change_request, {}).permit(%i[desired_name desired_name_confirmation])
end
end

4
app/models/user.rb
View File

@@ -322,6 +322,10 @@ class User < ApplicationRecord
User.level_string(value || level)
end
def is_deleted?
name.match?(/\Auser_[0-9]+~*\z/)
end
def is_anonymous?
level == Levels::ANONYMOUS
end

13
app/policies/user_name_change_request_policy.rb Normal file
View File

@@ -0,0 +1,13 @@
class UserNameChangeRequestPolicy < ApplicationPolicy
def index?
user.is_member?
end
def show?
user.is_admin? || (user.is_member? && !record.user.is_deleted?) || (record.user == user)
end
def permitted_attributes
[:desired_name, :desired_name_confirmation]
end
end

4
app/views/static/site_map.html.erb
View File

@@ -121,7 +121,7 @@
<% else %>
<li><%= link_to "Profile", profile_path %></li>
<li><%= link_to "Settings", settings_path %></li>
<% if CurrentUser.is_gold? %>
<% if policy(UserNameChangeRequest).create? %>
<li><%= link_to "Change name", new_user_name_change_request_path %></li>
<% end %>
<li><%= link_to "Delete account", maintenance_user_deletion_path %></li>
@@ -150,7 +150,7 @@
<li><%= link_to("Jobs", delayed_jobs_path) %></li>
<li><%= link_to("Bulk Update Requests", bulk_update_requests_path) %></li>
<% if CurrentUser.is_member? %>
<% if policy(UserNameChangeRequest).index? %>
<li><%= link_to("User Name Change Requests", user_name_change_requests_path) %></li>
<% end %>