From cbee23f9ad44a47e9c91b3abc7df281f0f3bb710 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Thu, 19 Mar 2020 19:57:24 -0500
Subject: [PATCH] pundit: convert post appeals to pundit.

---
 app/controllers/post_appeals_controller.rb | 16 +++++-----------
 app/policies/post_appeal_policy.rb         |  5 +++++
 2 files changed, 10 insertions(+), 11 deletions(-)
 create mode 100644 app/policies/post_appeal_policy.rb

diff --git a/app/controllers/post_appeals_controller.rb b/app/controllers/post_appeals_controller.rb
index 46e79a0a9..14d367688 100644
--- a/app/controllers/post_appeals_controller.rb
+++ b/app/controllers/post_appeals_controller.rb
@@ -1,14 +1,13 @@
 class PostAppealsController < ApplicationController
-  before_action :member_only, :except => [:index, :show]
   respond_to :html, :xml, :json, :js
 
   def new
-    @post_appeal = PostAppeal.new(post_appeal_params)
+    @post_appeal = authorize PostAppeal.new(permitted_attributes(PostAppeal))
     respond_with(@post_appeal)
   end
 
   def index
-    @post_appeals = PostAppeal.paginated_search(params)
+    @post_appeals = authorize PostAppeal.paginated_search(params)
 
     if request.format.html?
       @post_appeals = @post_appeals.includes(:creator, post: [:appeals, :uploader, :approver])
@@ -20,21 +19,16 @@ class PostAppealsController < ApplicationController
   end
 
   def create
-    @post_appeal = PostAppeal.create(post_appeal_params.merge(creator: CurrentUser.user))
+    @post_appeal = authorize PostAppeal.new(creator: CurrentUser.user, **permitted_attributes(PostAppeal))
+    @post_appeal.save
     flash[:notice] = @post_appeal.errors.none? ? "Post appealed" : @post_appeal.errors.full_messages.join("; ")
     respond_with(@post_appeal)
   end
 
   def show
-    @post_appeal = PostAppeal.find(params[:id])
+    @post_appeal = authorize PostAppeal.find(params[:id])
     respond_with(@post_appeal) do |fmt|
       fmt.html { redirect_to post_appeals_path(search: { id: @post_appeal.id }) }
     end
   end
-
-  private
-
-  def post_appeal_params
-    params.fetch(:post_appeal, {}).permit(%i[post_id reason])
-  end
 end
diff --git a/app/policies/post_appeal_policy.rb b/app/policies/post_appeal_policy.rb
new file mode 100644
index 000000000..f9f125acb
--- /dev/null
+++ b/app/policies/post_appeal_policy.rb
@@ -0,0 +1,5 @@
+class PostAppealPolicy < ApplicationPolicy
+  def permitted_attributes
+    [:post_id, :reason]
+  end
+end