pundit: convert post disapprovals to pundit.

2020-03-19 20:10:48 -05:00
parent 84c654464d
commit ba0a5dda8a
5 changed files with 42 additions and 32 deletions
--- a/app/controllers/post_disapprovals_controller.rb
+++ b/app/controllers/post_disapprovals_controller.rb
@@ -1,23 +1,17 @@
 class PostDisapprovalsController < ApplicationController
-  before_action :approver_only, only: [:create]
  skip_before_action :api_check
  respond_to :js, :html, :json, :xml

  def create
-    @post_disapproval = PostDisapproval.create(user: CurrentUser.user, **post_disapproval_params)
+    @post_disapproval = authorize PostDisapproval.new(user: CurrentUser.user, **permitted_attributes(PostDisapproval))
+    @post_disapproval.save
    respond_with(@post_disapproval)
  end

  def index
-    @post_disapprovals = PostDisapproval.paginated_search(params)
+    @post_disapprovals = authorize PostDisapproval.paginated_search(params)
    @post_disapprovals = @post_disapprovals.includes(:user) if request.format.html?

    respond_with(@post_disapprovals)
  end
-
-  private
-
-  def post_disapproval_params
-    params.require(:post_disapproval).permit(%i[post_id reason message])
-  end
 end
--- a/app/models/post_disapproval.rb
+++ b/app/models/post_disapproval.rb
@@ -66,13 +66,9 @@ class PostDisapproval < ApplicationRecord
    super(message)
  end

-  def can_view_creator?(user)
-    user.is_moderator? || user_id == user.id
-  end
-
  def api_attributes
    attributes = super
-    attributes -= [:creator_id] unless can_view_creator?(CurrentUser.user)
+    attributes -= [:creator_id] unless Pundit.policy!([CurrentUser.user, nil], self).can_view_creator?
    attributes
  end
 end
--- a/app/policies/post_disapproval_policy.rb
+++ b/app/policies/post_disapproval_policy.rb
@@ -0,0 +1,13 @@
+class PostDisapprovalPolicy < ApplicationPolicy
+  def create?
+    user.is_approver?
+  end
+
+  def can_view_creator?
+    user.is_moderator? || record.user_id == user.id
+  end
+
+  def permitted_attributes
+    [:post_id, :reason, :message]
+  end
+end
--- a/app/views/post_disapprovals/index.html.erb
+++ b/app/views/post_disapprovals/index.html.erb
@@ -27,7 +27,7 @@
        <%= link_to post_disapproval.reason.humanize, post_disapprovals_path(search: params[:search].merge(reason: post_disapproval.reason)) %>
      <% end %>
      <% t.column "Created" do |post_disapproval| %>
-        <% if post_disapproval.can_view_creator?(CurrentUser.user) %>
+        <% if policy(post_disapproval).can_view_creator? %>
          <%= link_to_user post_disapproval.user %>
          <%= link_to "»", post_disapprovals_path(search: params[:search].merge(creator_name: post_disapproval.user&.name)) %>
        <% end %>