jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pundit: convert comments to pundit.

Browse Source
This commit is contained in:
evazion
2020-03-15 15:37:34 -05:00
parent d8e4a26906
commit a0c4617057
7 changed files with 58 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
app/controllers/comments_controller.rb
View File

@@ -1,7 +1,6 @@
class CommentsController < ApplicationController
respond_to :html, :xml, :json, :atom
respond_to :js, only: [:new, :destroy, :undelete]
before_action :member_only, :except => [:index, :search, :show]
skip_before_action :api_check
def index
@@ -20,20 +19,25 @@ class CommentsController < ApplicationController
end
def new
@comment = Comment.new(comment_params(:create))
@comment.body = Comment.find(params[:id]).quoted_response if params[:id]
if params[:id]
quoted_comment = Comment.find(params[:id])
@comment = authorize Comment.new(post_id: quoted_comment.post_id, body: quoted_comment.quoted_response)
else
@comment = authorize Comment.new(permitted_attributes(Comment))
end
respond_with(@comment)
end
def update
@comment = Comment.find(params[:id])
check_privilege(@comment)
@comment.update(comment_params(:update))
@comment = authorize Comment.find(params[:id])
@comment.update(permitted_attributes(@comment))
respond_with(@comment, :location => post_path(@comment.post_id))
end
def create
@comment = Comment.create(comment_params(:create).merge(creator: CurrentUser.user, creator_ip_addr: CurrentUser.ip_addr))
@comment = authorize Comment.new(creator: CurrentUser.user, creator_ip_addr: CurrentUser.ip_addr)
@comment.update(permitted_attributes(@comment))
flash[:notice] = @comment.valid? ? "Comment posted" : @comment.errors.full_messages.join("; ")
respond_with(@comment) do |format|
format.html do
@@ -43,13 +47,12 @@ class CommentsController < ApplicationController
end
def edit
@comment = Comment.find(params[:id])
check_privilege(@comment)
@comment = authorize Comment.find(params[:id])
respond_with(@comment)
end
def show
@comment = Comment.find(params[:id])
@comment = authorize Comment.find(params[:id])
respond_with(@comment) do |format|
format.html do
@@ -59,15 +62,13 @@ class CommentsController < ApplicationController
end
def destroy
@comment = Comment.find(params[:id])
check_privilege(@comment)
@comment = authorize Comment.find(params[:id])
@comment.update(is_deleted: true)
respond_with(@comment)
end
def undelete
@comment = Comment.find(params[:id])
check_privilege(@comment)
@comment = authorize Comment.find(params[:id])
@comment.update(is_deleted: false)
respond_with(@comment)
end
@@ -103,19 +104,4 @@ class CommentsController < ApplicationController
respond_with(@comments)
end
def check_privilege(comment)
if !comment.editable_by?(CurrentUser.user)
raise User::PrivilegeError
end
end
def comment_params(context)
permitted_params = %i[body post_id]
permitted_params += %i[do_not_bump_post] if context == :create
permitted_params += %i[is_deleted] if context == :update
permitted_params += %i[is_sticky] if CurrentUser.is_moderator?
params.fetch(:comment, {}).permit(permitted_params)
end
end

4
app/models/comment.rb
View File

@@ -117,10 +117,6 @@ class Comment < ApplicationRecord
end
end
def editable_by?(user)
updater_id == user.id || user.is_moderator?
end
def reportable_by?(user)
creator_id != user.id && !creator.is_moderator?
end

19
app/policies/comment_policy.rb Normal file
View File

@@ -0,0 +1,19 @@
class CommentPolicy < ApplicationPolicy
def update?
unbanned? && (user.is_moderator? || record.updater_id == user.id)
end
def can_sticky_comment?
user.is_moderator?
end
def permitted_attributes_for_create
[:body, :post_id, :do_not_bump_post, (:is_sticky if can_sticky_comment?)].compact
end
def permitted_attributes_for_update
[:body, :is_deleted, (:is_sticky if can_sticky_comment?)].compact
end
alias_method :undelete?, :update?
end

6
app/views/comments/_form.html.erb
View File

@@ -1,14 +1,16 @@
<%= error_messages_for :comment %>
<%= edit_form_for(comment, html: { style: ("display: none;" if local_assigns[:hidden]), class: "edit_comment" }) do |f| %>
<%= f.hidden_field :post_id %>
<% if comment.new_record? %>
<%= f.hidden_field :post_id %>
<% end %>
<%= dtext_field "comment", "body", :classes => "autocomplete-mentions", :value => comment.body, :input_id => "comment_body_for_#{comment.id}", :preview_id => "dtext-preview-for-#{comment.id}" %>
<%= f.button :submit, "Submit" %>
<%= dtext_preview_button "comment", "body", :input_id => "comment_body_for_#{comment.id}", :preview_id => "dtext-preview-for-#{comment.id}" %>
<% if comment.new_record? %>
<%= f.input :do_not_bump_post, :label => "No bump" %>
<% end %>
<% if CurrentUser.is_moderator? %>
<% if policy(comment).can_sticky_comment? %>
<%= f.input :is_sticky, :label => "Post as moderator", :for => "comment_is_sticky" %>
<% end %>
<% end %>

2
app/views/comments/partials/index/_list.html.erb
View File

@@ -28,7 +28,7 @@
<% end %>
</div>
<% if CurrentUser.is_member? %>
<% if policy(Comment).create? %>
<div class="new-comment">
<p><%= link_to "Post comment", new_comment_path(comment: { post_id: post.id }), :class => "expand-comment-response" %></p>
<%= render "comments/form", comment: post.comments.new, hidden: true %>

6
app/views/comments/partials/show/_comment.html.erb
View File

@@ -31,7 +31,7 @@
</div>
<%= render "application/update_notice", record: comment %>
<% if CurrentUser.is_member? %>
<% if policy(comment).create? %>
<menu>
<% if context == :index_by_comment %>
<li><%= link_to "Reply", new_comment_path(id: comment, comment: { post_id: comment.post_id }), class: "reply-link" %></li>
@@ -39,7 +39,7 @@
<li><%= link_to "Reply", new_comment_path(id: comment, comment: { post_id: comment.post_id }), class: "reply-link", remote: true %></li>
<% end %>
<% if comment.editable_by?(CurrentUser.user) %>
<% if policy(comment).update? %>
<% if comment.is_deleted? %>
<li><%= link_to "Undelete", undelete_comment_path(comment.id), method: :post, remote: true %></li>
<% else %>
@@ -60,7 +60,7 @@
<li><%= link_to "Report", new_moderation_report_path(moderation_report: { model_type: "Comment", model_id: comment.id }), remote: true %></li>
<% end %>
</menu>
<% if comment.editable_by?(CurrentUser.user) %>
<% if policy(comment).update? %>
<%= render "comments/form", comment: comment, hidden: true %>
<% end %>
<% end %>

22
test/functional/comments_controller_test.rb
View File

@@ -151,6 +151,7 @@ class CommentsControllerTest < ActionDispatch::IntegrationTest
should "fail if updater is not a moderator" do
put_auth comment_path(@comment.id), @user, params: {comment: {is_sticky: true}}
assert_response 403
assert_equal(false, @comment.reload.is_sticky)
end
end
@@ -169,20 +170,29 @@ class CommentsControllerTest < ActionDispatch::IntegrationTest
end
should "not allow changing do_not_bump_post or post_id" do
as_user do
@another_post = create(:post)
end
put_auth comment_path(@comment.id), @comment.creator, params: {do_not_bump_post: true, post_id: @another_post.id}
@another_post = as(@user) { create(:post) }
put_auth comment_path(@comment.id), @comment.creator, params: { do_not_bump_post: true }
assert_response 403
assert_equal(false, @comment.reload.do_not_bump_post)
assert_equal(@post.id, @comment.post_id)
put_auth comment_path(@comment.id), @comment.creator, params: { post_id: @another_post.id }
assert_response 403
assert_equal(@post.id, @comment.reload.post_id)
end
end
context "new action" do
should "redirect" do
should "work" do
get_auth new_comment_path, @user
assert_response :success
end
should "work when quoting a post" do
@comment = create(:comment)
get_auth new_comment_path(id: @comment.id), @user, as: :javascript
assert_response :success
end
end
context "create action" do