pundit: convert uploads to pundit.

app/controllers/uploads_controller.rb

@@ -1,9 +1,9 @@
 class UploadsController < ApplicationController
-  before_action :member_only, except: [:index, :show]
   respond_to :html, :xml, :json, :js
   skip_before_action :verify_authenticity_token, only: [:preprocess]
 
   def new
+    authorize Upload
     @source = Sources::Strategies.find(params[:url], params[:ref]) if params[:url].present?
     @upload, @remote_size = UploadService::ControllerHelper.prepare(
       url: params[:url], ref: params[:ref]
@@ -12,25 +12,27 @@ class UploadsController < ApplicationController
   end
 
   def batch
+    authorize Upload
     @url = params.dig(:batch, :url) || params[:url]
     @source = Sources::Strategies.find(@url, params[:ref]) if @url.present?
     respond_with(@source)
   end
 
   def image_proxy
+    authorize Upload
     resp = ImageProxy.get_image(params[:url])
     send_data resp.body, :type => resp.content_type, :disposition => "inline"
   end
 
   def index
-    @uploads = Upload.paginated_search(params, count_pages: true)
+    @uploads = authorize Upload.paginated_search(params, count_pages: true)
     @uploads = @uploads.includes(:uploader, post: :uploader) if request.format.html?
 
     respond_with(@uploads)
   end
 
   def show
-    @upload = Upload.find(params[:id])
+    @upload = authorize Upload.find(params[:id])
     respond_with(@upload) do |format|
       format.html do
         if @upload.is_completed? && @upload.post_id
@@ -41,14 +43,15 @@ class UploadsController < ApplicationController
   end
 
   def preprocess
+    authorize Upload
     @upload, @remote_size = UploadService::ControllerHelper.prepare(
-      url: upload_params[:source], file: upload_params[:file], ref: upload_params[:referer_url]
+      url: params.dig(:upload, :source), file: params.dig(:upload, :file), ref: params.dig(:upload, :referer_url),
     )
     render body: nil
   end
 
   def create
-    @service = UploadService.new(upload_params)
+    @service = authorize UploadService.new(permitted_attributes(Upload)), policy_class: UploadPolicy
     @upload = @service.start!
 
     if @service.warnings.any?
@@ -57,17 +60,4 @@ class UploadsController < ApplicationController
 
     respond_with(@upload)
   end
-
-  private
-
-  def upload_params
-    permitted_params = %i[
-      file source tag_string rating status parent_id artist_commentary_title
-      artist_commentary_desc include_artist_commentary referer_url
-      md5_confirmation as_pending translated_commentary_title
-      translated_commentary_desc
-    ]
-
-    params.require(:upload).permit(permitted_params)
-  end
 end

app/policies/upload_policy.rb

@@ -0,0 +1,19 @@
+class UploadPolicy < ApplicationPolicy
+  def batch?
+    unbanned?
+  end
+
+  def image_proxy?
+    unbanned?
+  end
+
+  def preprocess?
+    unbanned?
+  end
+
+  def permitted_attributes
+    %i[file source tag_string rating status parent_id artist_commentary_title
+       artist_commentary_desc include_artist_commentary referer_url
+       md5_confirmation as_pending translated_commentary_title translated_commentary_desc]
+  end
+end

test/functional/uploads_controller_test.rb

@@ -243,6 +243,7 @@ class UploadsControllerTest < ActionDispatch::IntegrationTest
         assert_difference("Upload.count", 1) do
           file = Rack::Test::UploadedFile.new("#{Rails.root}/test/files/test.jpg", "image/jpeg")
           post_auth uploads_path, @user, params: {:upload => {:file => file, :tag_string => "aaa", :rating => "q", :source => "aaa"}}
+          assert_redirected_to Upload.last
         end
       end
     end