From 919a2868be480e93609450dc640dea58e5ce2abb Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sat, 28 Mar 2020 21:15:51 -0500
Subject: [PATCH] Fix #4374: Unvoting comments is broken.

---
 app/controllers/comment_votes_controller.rb   |  4 +--
 app/policies/comment_vote_policy.rb           |  4 +++
 .../comment_votes_controller_test.rb          | 29 +++++++++++++++++++
 3 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/app/controllers/comment_votes_controller.rb b/app/controllers/comment_votes_controller.rb
index 52ad7bc15..667611669 100644
--- a/app/controllers/comment_votes_controller.rb
+++ b/app/controllers/comment_votes_controller.rb
@@ -10,13 +10,13 @@ class CommentVotesController < ApplicationController
   end
 
   def create
-    @comment = authorize Comment.find(params[:comment_id])
+    @comment = authorize Comment.find(params[:comment_id]), policy_class: CommentVotePolicy
     @comment_vote = @comment.vote!(params[:score])
     respond_with(@comment)
   end
 
   def destroy
-    @comment = authorize Comment.find(params[:comment_id])
+    @comment = authorize Comment.find(params[:comment_id]), policy_class: CommentVotePolicy
     @comment.unvote!
     respond_with(@comment)
   end
diff --git a/app/policies/comment_vote_policy.rb b/app/policies/comment_vote_policy.rb
index 0ce20459d..1769427f8 100644
--- a/app/policies/comment_vote_policy.rb
+++ b/app/policies/comment_vote_policy.rb
@@ -1,2 +1,6 @@
 class CommentVotePolicy < ApplicationPolicy
+  def destroy?
+    # XXX permissions are checked in Comment#unvote!
+    true
+  end
 end
diff --git a/test/functional/comment_votes_controller_test.rb b/test/functional/comment_votes_controller_test.rb
index ef2dda3da..5d2b713d8 100644
--- a/test/functional/comment_votes_controller_test.rb
+++ b/test/functional/comment_votes_controller_test.rb
@@ -13,6 +13,15 @@ class CommentVotesControllerTest < ActionDispatch::IntegrationTest
       CurrentUser.ip_addr = nil
     end
 
+    context "#index" do
+      should "work" do
+        create(:comment_vote, user: @user)
+        get_auth comment_votes_path, @user
+
+        assert_response :success
+      end
+    end
+
     context "#create.json" do
       should "create a vote" do
         assert_difference("CommentVote.count", 1) do
@@ -53,5 +62,25 @@ class CommentVotesControllerTest < ActionDispatch::IntegrationTest
         end
       end
     end
+
+    context "#destroy" do
+      should "allow users to remove their own comment votes" do
+        @vote = create(:comment_vote, user: @user)
+
+        assert_difference("CommentVote.count", -1) do
+          delete_auth comment_comment_votes_path(@vote.comment), @user
+          assert_redirected_to @vote.comment
+        end
+      end
+
+      should "not allow users to remove comment votes by other users" do
+        @vote = create(:comment_vote)
+
+        assert_difference("CommentVote.count", 0) do
+          delete_auth comment_comment_votes_path(@vote.comment), @user
+          assert_response 422
+        end
+      end
+    end
   end
 end