pundit: convert forum topics / forum posts to pundit.
Fix it being possible for users to delete or undelete their own forum posts and topics, even if they were deleted by a mod.
This commit is contained in:
evazion
@@ -1,25 +1,14 @@
|
||||
class ForumPostsController < ApplicationController
|
||||
respond_to :html, :xml, :json, :js
|
||||
before_action :member_only, :except => [:index, :show, :search]
|
||||
before_action :load_post, :only => [:edit, :show, :update, :destroy, :undelete]
|
||||
before_action :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]
|
||||
skip_before_action :api_check
|
||||
|
||||
def new
|
||||
if params[:topic_id]
|
||||
@forum_topic = ForumTopic.find(params[:topic_id])
|
||||
raise User::PrivilegeError.new unless @forum_topic.visible?(CurrentUser.user)
|
||||
end
|
||||
if params[:post_id]
|
||||
quoted_post = ForumPost.find(params[:post_id])
|
||||
raise User::PrivilegeError.new unless quoted_post.topic.visible?(CurrentUser.user)
|
||||
end
|
||||
@forum_post = ForumPost.new_reply(params)
|
||||
@forum_post = authorize ForumPost.new_reply(params)
|
||||
respond_with(@forum_post)
|
||||
end
|
||||
|
||||
def edit
|
||||
check_privilege(@forum_post)
|
||||
@forum_post = authorize ForumPost.find(params[:id])
|
||||
respond_with(@forum_post)
|
||||
end
|
||||
|
||||
@@ -34,6 +23,8 @@ class ForumPostsController < ApplicationController
|
||||
end
|
||||
|
||||
def show
|
||||
@forum_post = authorize ForumPost.find(params[:id])
|
||||
|
||||
respond_with(@forum_post) do |format|
|
||||
format.html do
|
||||
page = @forum_post.forum_topic_page
|
||||
@@ -44,51 +35,29 @@ class ForumPostsController < ApplicationController
|
||||
end
|
||||
|
||||
def create
|
||||
@forum_post = ForumPost.create(forum_post_params(:create).merge(creator: CurrentUser.user))
|
||||
@forum_post = authorize ForumPost.new(creator: CurrentUser.user, topic_id: params.dig(:forum_post, :topic_id))
|
||||
@forum_post.update(permitted_attributes(@forum_post))
|
||||
|
||||
page = @forum_post.topic.last_page if @forum_post.topic.last_page > 1
|
||||
respond_with(@forum_post, :location => forum_topic_path(@forum_post.topic, :page => page))
|
||||
end
|
||||
|
||||
def update
|
||||
check_privilege(@forum_post)
|
||||
@forum_post.update(forum_post_params(:update))
|
||||
@forum_post = authorize ForumPost.find(params[:id])
|
||||
@forum_post.update(permitted_attributes(@forum_post))
|
||||
page = @forum_post.forum_topic_page if @forum_post.forum_topic_page > 1
|
||||
respond_with(@forum_post, :location => forum_topic_path(@forum_post.topic, :page => page, :anchor => "forum_post_#{@forum_post.id}"))
|
||||
end
|
||||
|
||||
def destroy
|
||||
check_privilege(@forum_post)
|
||||
@forum_post = authorize ForumPost.find(params[:id])
|
||||
@forum_post.delete!
|
||||
respond_with(@forum_post)
|
||||
end
|
||||
|
||||
def undelete
|
||||
check_privilege(@forum_post)
|
||||
@forum_post = authorize ForumPost.find(params[:id])
|
||||
@forum_post.undelete!
|
||||
respond_with(@forum_post)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def load_post
|
||||
@forum_post = ForumPost.find(params[:id])
|
||||
@forum_topic = @forum_post.topic
|
||||
end
|
||||
|
||||
def check_min_level
|
||||
raise User::PrivilegeError if CurrentUser.user.level < @forum_topic.min_level
|
||||
end
|
||||
|
||||
def check_privilege(forum_post)
|
||||
if !forum_post.editable_by?(CurrentUser.user)
|
||||
raise User::PrivilegeError
|
||||
end
|
||||
end
|
||||
|
||||
def forum_post_params(context)
|
||||
permitted_params = [:body]
|
||||
permitted_params += [:topic_id] if context == :create
|
||||
|
||||
params.require(:forum_post).permit(permitted_params)
|
||||
end
|
||||
end
|
||||
|
||||
@@ -1,20 +1,17 @@
|
||||
class ForumTopicsController < ApplicationController
|
||||
respond_to :html, :xml, :json
|
||||
respond_to :atom, only: [:index, :show]
|
||||
before_action :member_only, :except => [:index, :show]
|
||||
before_action :normalize_search, :only => :index
|
||||
before_action :load_topic, :only => [:edit, :show, :update, :destroy, :undelete]
|
||||
before_action :check_min_level, :only => [:show, :edit, :update, :destroy, :undelete]
|
||||
skip_before_action :api_check
|
||||
|
||||
def new
|
||||
@forum_topic = ForumTopic.new
|
||||
@forum_topic = authorize ForumTopic.new
|
||||
@forum_topic.original_post = ForumPost.new
|
||||
respond_with(@forum_topic)
|
||||
end
|
||||
|
||||
def edit
|
||||
check_privilege(@forum_topic)
|
||||
@forum_topic = authorize ForumTopic.find(params[:id])
|
||||
respond_with(@forum_topic)
|
||||
end
|
||||
|
||||
@@ -35,11 +32,13 @@ class ForumTopicsController < ApplicationController
|
||||
end
|
||||
|
||||
def show
|
||||
@forum_topic = authorize ForumTopic.find(params[:id])
|
||||
|
||||
if request.format.html?
|
||||
@forum_topic.mark_as_read!(CurrentUser.user)
|
||||
end
|
||||
|
||||
@forum_posts = ForumPost.search(:topic_id => @forum_topic.id).reorder("forum_posts.id").paginate(params[:page])
|
||||
@forum_posts = @forum_topic.forum_posts.order(id: :asc).paginate(params[:page], limit: params[:limit])
|
||||
|
||||
if request.format.atom?
|
||||
@forum_posts = @forum_posts.reverse_order.load
|
||||
@@ -51,7 +50,7 @@ class ForumTopicsController < ApplicationController
|
||||
end
|
||||
|
||||
def create
|
||||
@forum_topic = ForumTopic.new(forum_topic_params(:create))
|
||||
@forum_topic = authorize ForumTopic.new(permitted_attributes(ForumTopic))
|
||||
@forum_topic.creator = CurrentUser.user
|
||||
@forum_topic.original_post.creator = CurrentUser.user
|
||||
@forum_topic.save
|
||||
@@ -60,13 +59,13 @@ class ForumTopicsController < ApplicationController
|
||||
end
|
||||
|
||||
def update
|
||||
check_privilege(@forum_topic)
|
||||
@forum_topic.update(forum_topic_params(:update))
|
||||
@forum_topic = authorize ForumTopic.find(params[:id])
|
||||
@forum_topic.update(permitted_attributes(@forum_topic))
|
||||
respond_with(@forum_topic)
|
||||
end
|
||||
|
||||
def destroy
|
||||
check_privilege(@forum_topic)
|
||||
@forum_topic = authorize ForumTopic.find(params[:id])
|
||||
@forum_topic.update(is_deleted: true)
|
||||
@forum_topic.create_mod_action_for_delete
|
||||
flash[:notice] = "Topic deleted"
|
||||
@@ -74,7 +73,7 @@ class ForumTopicsController < ApplicationController
|
||||
end
|
||||
|
||||
def undelete
|
||||
check_privilege(@forum_topic)
|
||||
@forum_topic = authorize ForumTopic.find(params[:id])
|
||||
@forum_topic.update(is_deleted: false)
|
||||
@forum_topic.create_mod_action_for_undelete
|
||||
flash[:notice] = "Topic undeleted"
|
||||
@@ -82,6 +81,7 @@ class ForumTopicsController < ApplicationController
|
||||
end
|
||||
|
||||
def mark_all_as_read
|
||||
authorize ForumTopic
|
||||
CurrentUser.user.update_attribute(:last_forum_read_at, Time.now)
|
||||
ForumTopicVisit.prune!(CurrentUser.user)
|
||||
redirect_to forum_topics_path, :notice => "All topics marked as read"
|
||||
@@ -100,25 +100,4 @@ class ForumTopicsController < ApplicationController
|
||||
params[:search][:title] = params.delete(:title)
|
||||
end
|
||||
end
|
||||
|
||||
def check_privilege(forum_topic)
|
||||
if !forum_topic.editable_by?(CurrentUser.user)
|
||||
raise User::PrivilegeError
|
||||
end
|
||||
end
|
||||
|
||||
def load_topic
|
||||
@forum_topic = ForumTopic.find(params[:id])
|
||||
end
|
||||
|
||||
def check_min_level
|
||||
raise User::PrivilegeError if CurrentUser.user.level < @forum_topic.min_level
|
||||
end
|
||||
|
||||
def forum_topic_params(context)
|
||||
permitted_params = [:title, :category_id, { original_post_attributes: %i[id body] }]
|
||||
permitted_params += %i[is_sticky is_locked min_level] if CurrentUser.is_moderator?
|
||||
|
||||
params.require(:forum_topic).permit(permitted_params)
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user