pundit: convert users to pundit.

app/controllers/users_controller.rb

@@ -3,19 +3,18 @@ class UsersController < ApplicationController
   skip_before_action :api_check
 
   def new
-    @user = User.new
+    @user = authorize User.new
     @user.email_address = EmailAddress.new
     respond_with(@user)
   end
 
   def edit
-    @user = User.find(params[:id])
-    check_privilege(@user)
+    @user = authorize User.find(params[:id])
     respond_with(@user)
   end
 
   def settings
-    @user = CurrentUser.user
+    @user = authorize CurrentUser.user
 
     if @user.is_anonymous?
       redirect_to login_path(url: settings_path)
@@ -32,7 +31,7 @@ class UsersController < ApplicationController
       return
     end
 
-    @users = User.paginated_search(params)
+    @users = authorize User.paginated_search(params)
     @users = @users.includes(:inviter) if request.format.html?
 
     respond_with(@users)
@@ -42,12 +41,12 @@ class UsersController < ApplicationController
   end
 
   def show
-    @user = User.find(params[:id])
+    @user = authorize User.find(params[:id])
     respond_with(@user, methods: @user.full_attributes)
   end
 
   def profile
-    @user = CurrentUser.user
+    @user = authorize CurrentUser.user
 
     if @user.is_member?
       params[:action] = "show"
@@ -60,7 +59,8 @@ class UsersController < ApplicationController
   end
 
   def create
-    @user = User.new(last_ip_addr: CurrentUser.ip_addr, **user_params(:create))
+    @user = authorize User.new(last_ip_addr: CurrentUser.ip_addr, **permitted_attributes(User))
+
     if !Danbooru.config.enable_recaptcha? || verify_recaptcha(model: @user)
       @user.save
       if @user.errors.empty?
@@ -78,14 +78,15 @@ class UsersController < ApplicationController
   end
 
   def update
-    @user = User.find(params[:id])
-    check_privilege(@user)
-    @user.update(user_params(:update))
+    @user = authorize User.find(params[:id])
+    @user.update(permitted_attributes(@user))
+
     if @user.errors.any?
       flash[:notice] = @user.errors.full_messages.join("; ")
     else
       flash[:notice] = "Settings updated"
     end
+
     respond_with(@user) do |format|
       format.html { redirect_back fallback_location: edit_user_path(@user) }
     end
@@ -105,32 +106,4 @@ class UsersController < ApplicationController
       true
     end
   end
-
-  def check_privilege(user)
-    raise User::PrivilegeError unless user.id == CurrentUser.id || CurrentUser.is_admin?
-  end
-
-  def user_params(context)
-    permitted_params = %i[
-      password old_password password_confirmation
-      comment_threshold default_image_size favorite_tags blacklisted_tags
-      time_zone per_page custom_style theme
-
-      receive_email_notifications always_resize_images enable_post_navigation
-      new_post_navigation_layout enable_private_favorites
-      enable_sequential_post_navigation hide_deleted_posts style_usernames
-      enable_auto_complete show_deleted_children
-      disable_categorized_saved_searches disable_tagged_filenames
-      disable_cropped_thumbnails disable_mobile_gestures
-      enable_safe_mode enable_desktop_mode disable_post_tooltips
-    ]
-
-    if context == :create
-      permitted_params += [:name, { email_address_attributes: [:address] }]
-    end
-
-    permitted_params << :level if CurrentUser.is_admin?
-
-    params.require(:user).permit(permitted_params)
-  end
 end