jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pundit: convert comments to pundit.

Browse Source
This commit is contained in:
evazion
2020-03-15 15:37:34 -05:00
parent d8e4a26906
commit a0c4617057
7 changed files with 58 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
app/controllers/comments_controller.rb
View File

@@ -1,7 +1,6 @@
class CommentsController < ApplicationController class CommentsController < ApplicationController
respond_to :html, :xml, :json, :atom respond_to :html, :xml, :json, :atom
respond_to :js, only: [:new, :destroy, :undelete] respond_to :js, only: [:new, :destroy, :undelete]
before_action :member_only, :except => [:index, :search, :show]
skip_before_action :api_check skip_before_action :api_check
def index def index
@@ -20,20 +19,25 @@ class CommentsController < ApplicationController
end end
def new def new
@comment = Comment.new(comment_params(:create)) if params[:id]
@comment.body = Comment.find(params[:id]).quoted_response if params[:id] quoted_comment = Comment.find(params[:id])
@comment = authorize Comment.new(post_id: quoted_comment.post_id, body: quoted_comment.quoted_response)
else
@comment = authorize Comment.new(permitted_attributes(Comment))
end
respond_with(@comment) respond_with(@comment)
end end
def update def update
@comment = Comment.find(params[:id]) @comment = authorize Comment.find(params[:id])
check_privilege(@comment) @comment.update(permitted_attributes(@comment))
@comment.update(comment_params(:update))
respond_with(@comment, :location => post_path(@comment.post_id)) respond_with(@comment, :location => post_path(@comment.post_id))
end end
def create def create
@comment = Comment.create(comment_params(:create).merge(creator: CurrentUser.user, creator_ip_addr: CurrentUser.ip_addr)) @comment = authorize Comment.new(creator: CurrentUser.user, creator_ip_addr: CurrentUser.ip_addr)
@comment.update(permitted_attributes(@comment))
flash[:notice] = @comment.valid? ? "Comment posted" : @comment.errors.full_messages.join("; ") flash[:notice] = @comment.valid? ? "Comment posted" : @comment.errors.full_messages.join("; ")
respond_with(@comment) do |format| respond_with(@comment) do |format|
format.html do format.html do
@@ -43,13 +47,12 @@ class CommentsController < ApplicationController
end end
def edit def edit
@comment = Comment.find(params[:id]) @comment = authorize Comment.find(params[:id])
check_privilege(@comment)
respond_with(@comment) respond_with(@comment)
end end
def show def show
@comment = Comment.find(params[:id]) @comment = authorize Comment.find(params[:id])
respond_with(@comment) do |format| respond_with(@comment) do |format|
format.html do format.html do
@@ -59,15 +62,13 @@ class CommentsController < ApplicationController
end end
def destroy def destroy
@comment = Comment.find(params[:id]) @comment = authorize Comment.find(params[:id])
check_privilege(@comment)
@comment.update(is_deleted: true) @comment.update(is_deleted: true)
respond_with(@comment) respond_with(@comment)
end end
def undelete def undelete
@comment = Comment.find(params[:id]) @comment = authorize Comment.find(params[:id])
check_privilege(@comment)
@comment.update(is_deleted: false) @comment.update(is_deleted: false)
respond_with(@comment) respond_with(@comment)
end end
@@ -103,19 +104,4 @@ class CommentsController < ApplicationController
respond_with(@comments) respond_with(@comments)
end end
def check_privilege(comment)
if !comment.editable_by?(CurrentUser.user)
raise User::PrivilegeError
end
end
def comment_params(context)
permitted_params = %i[body post_id]
permitted_params += %i[do_not_bump_post] if context == :create
permitted_params += %i[is_deleted] if context == :update
permitted_params += %i[is_sticky] if CurrentUser.is_moderator?
params.fetch(:comment, {}).permit(permitted_params)
end
end end

4
app/models/comment.rb
View File

@@ -117,10 +117,6 @@ class Comment < ApplicationRecord
end end
end end
def editable_by?(user)
updater_id == user.id || user.is_moderator?
end
def reportable_by?(user) def reportable_by?(user)
creator_id != user.id && !creator.is_moderator? creator_id != user.id && !creator.is_moderator?
end end

19
app/policies/comment_policy.rb Normal file
View File

@@ -0,0 +1,19 @@
class CommentPolicy < ApplicationPolicy
def update?
unbanned? && (user.is_moderator? || record.updater_id == user.id)
end
def can_sticky_comment?
user.is_moderator?
end
def permitted_attributes_for_create
[:body, :post_id, :do_not_bump_post, (:is_sticky if can_sticky_comment?)].compact
end
def permitted_attributes_for_update
[:body, :is_deleted, (:is_sticky if can_sticky_comment?)].compact
end
alias_method :undelete?, :update?
end

6
app/views/comments/_form.html.erb
View File

@@ -1,14 +1,16 @@
<%= error_messages_for :comment %> <%= error_messages_for :comment %>
<%= edit_form_for(comment, html: { style: ("display: none;" if local_assigns[:hidden]), class: "edit_comment" }) do |f| %> <%= edit_form_for(comment, html: { style: ("display: none;" if local_assigns[:hidden]), class: "edit_comment" }) do |f| %>
<%= f.hidden_field :post_id %> <% if comment.new_record? %>
<%= f.hidden_field :post_id %>
<% end %>
<%= dtext_field "comment", "body", :classes => "autocomplete-mentions", :value => comment.body, :input_id => "comment_body_for_#{comment.id}", :preview_id => "dtext-preview-for-#{comment.id}" %> <%= dtext_field "comment", "body", :classes => "autocomplete-mentions", :value => comment.body, :input_id => "comment_body_for_#{comment.id}", :preview_id => "dtext-preview-for-#{comment.id}" %>
<%= f.button :submit, "Submit" %> <%= f.button :submit, "Submit" %>
<%= dtext_preview_button "comment", "body", :input_id => "comment_body_for_#{comment.id}", :preview_id => "dtext-preview-for-#{comment.id}" %> <%= dtext_preview_button "comment", "body", :input_id => "comment_body_for_#{comment.id}", :preview_id => "dtext-preview-for-#{comment.id}" %>
<% if comment.new_record? %> <% if comment.new_record? %>
<%= f.input :do_not_bump_post, :label => "No bump" %> <%= f.input :do_not_bump_post, :label => "No bump" %>
<% end %> <% end %>
<% if CurrentUser.is_moderator? %> <% if policy(comment).can_sticky_comment? %>
<%= f.input :is_sticky, :label => "Post as moderator", :for => "comment_is_sticky" %> <%= f.input :is_sticky, :label => "Post as moderator", :for => "comment_is_sticky" %>
<% end %> <% end %>
<% end %> <% end %>

2
app/views/comments/partials/index/_list.html.erb
View File

@@ -28,7 +28,7 @@
<% end %> <% end %>
</div> </div>
<% if CurrentUser.is_member? %> <% if policy(Comment).create? %>
<div class="new-comment"> <div class="new-comment">
<p><%= link_to "Post comment", new_comment_path(comment: { post_id: post.id }), :class => "expand-comment-response" %></p> <p><%= link_to "Post comment", new_comment_path(comment: { post_id: post.id }), :class => "expand-comment-response" %></p>
<%= render "comments/form", comment: post.comments.new, hidden: true %> <%= render "comments/form", comment: post.comments.new, hidden: true %>

6
app/views/comments/partials/show/_comment.html.erb
View File

@@ -31,7 +31,7 @@
</div> </div>
<%= render "application/update_notice", record: comment %> <%= render "application/update_notice", record: comment %>
<% if CurrentUser.is_member? %> <% if policy(comment).create? %>
<menu> <menu>
<% if context == :index_by_comment %> <% if context == :index_by_comment %>
<li><%= link_to "Reply", new_comment_path(id: comment, comment: { post_id: comment.post_id }), class: "reply-link" %></li> <li><%= link_to "Reply", new_comment_path(id: comment, comment: { post_id: comment.post_id }), class: "reply-link" %></li>
@@ -39,7 +39,7 @@
<li><%= link_to "Reply", new_comment_path(id: comment, comment: { post_id: comment.post_id }), class: "reply-link", remote: true %></li> <li><%= link_to "Reply", new_comment_path(id: comment, comment: { post_id: comment.post_id }), class: "reply-link", remote: true %></li>
<% end %> <% end %>
<% if comment.editable_by?(CurrentUser.user) %> <% if policy(comment).update? %>
<% if comment.is_deleted? %> <% if comment.is_deleted? %>
<li><%= link_to "Undelete", undelete_comment_path(comment.id), method: :post, remote: true %></li> <li><%= link_to "Undelete", undelete_comment_path(comment.id), method: :post, remote: true %></li>
<% else %> <% else %>
@@ -60,7 +60,7 @@
<li><%= link_to "Report", new_moderation_report_path(moderation_report: { model_type: "Comment", model_id: comment.id }), remote: true %></li> <li><%= link_to "Report", new_moderation_report_path(moderation_report: { model_type: "Comment", model_id: comment.id }), remote: true %></li>
<% end %> <% end %>
</menu> </menu>
<% if comment.editable_by?(CurrentUser.user) %> <% if policy(comment).update? %>
<%= render "comments/form", comment: comment, hidden: true %> <%= render "comments/form", comment: comment, hidden: true %>
<% end %> <% end %>
<% end %> <% end %>

22
test/functional/comments_controller_test.rb
View File

@@ -151,6 +151,7 @@ class CommentsControllerTest < ActionDispatch::IntegrationTest
should "fail if updater is not a moderator" do should "fail if updater is not a moderator" do
put_auth comment_path(@comment.id), @user, params: {comment: {is_sticky: true}} put_auth comment_path(@comment.id), @user, params: {comment: {is_sticky: true}}
assert_response 403
assert_equal(false, @comment.reload.is_sticky) assert_equal(false, @comment.reload.is_sticky)
end end
end end
@@ -169,20 +170,29 @@ class CommentsControllerTest < ActionDispatch::IntegrationTest
end end
should "not allow changing do_not_bump_post or post_id" do should "not allow changing do_not_bump_post or post_id" do
as_user do @another_post = as(@user) { create(:post) }
@another_post = create(:post)
end put_auth comment_path(@comment.id), @comment.creator, params: { do_not_bump_post: true }
put_auth comment_path(@comment.id), @comment.creator, params: {do_not_bump_post: true, post_id: @another_post.id} assert_response 403
assert_equal(false, @comment.reload.do_not_bump_post) assert_equal(false, @comment.reload.do_not_bump_post)
assert_equal(@post.id, @comment.post_id)
put_auth comment_path(@comment.id), @comment.creator, params: { post_id: @another_post.id }
assert_response 403
assert_equal(@post.id, @comment.reload.post_id)
end end
end end
context "new action" do context "new action" do
should "redirect" do should "work" do
get_auth new_comment_path, @user get_auth new_comment_path, @user
assert_response :success assert_response :success
end end
should "work when quoting a post" do
@comment = create(:comment)
get_auth new_comment_path(id: @comment.id), @user, as: :javascript
assert_response :success
end
end end
context "create action" do context "create action" do