pundit: convert post replacements to pundit.

app/controllers/post_replacements_controller.rb

@@ -1,46 +1,31 @@
 class PostReplacementsController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_action :moderator_only, except: [:index]
 
   def new
-    @post_replacement = Post.find(params[:post_id]).replacements.new
+    @post_replacement = authorize PostReplacement.new(post_id: params[:post_id], **permitted_attributes(PostReplacement))
     respond_with(@post_replacement)
   end
 
   def create
-    @post = Post.find(params[:post_id])
-    @post_replacement = @post.replace!(create_params)
+    @post = authorize Post.find(params[:post_id]), policy_class: PostReplacementPolicy
+    @post_replacement = @post.replace!(permitted_attributes(PostReplacement))
 
     flash[:notice] = "Post replaced"
     respond_with(@post_replacement, location: @post)
   end
 
   def update
-    @post_replacement = PostReplacement.find(params[:id])
-    @post_replacement.update(update_params)
+    @post_replacement = authorize PostReplacement.find(params[:id])
+    @post_replacement.update(permitted_attributes(@post_replacement))
 
     respond_with(@post_replacement)
   end
 
   def index
     params[:search][:post_id] = params.delete(:post_id) if params.key?(:post_id)
-    @post_replacements = PostReplacement.paginated_search(params)
+    @post_replacements = authorize PostReplacement.paginated_search(params)
     @post_replacements = @post_replacements.includes(:creator, post: :uploader) if request.format.html?
 
     respond_with(@post_replacements)
   end
-
-  private
-
-  def create_params
-    params.require(:post_replacement).permit(:replacement_url, :replacement_file, :final_source, :tags)
-  end
-
-  def update_params
-    params.require(:post_replacement).permit(
-      :file_ext_was, :file_size_was, :image_width_was, :image_height_was, :md5_was,
-      :file_ext, :file_size, :image_width, :image_height, :md5,
-      :original_url, :replacement_url
-    )
-  end
 end

app/policies/post_replacement_policy.rb

@@ -0,0 +1,19 @@
+class PostReplacementPolicy < ApplicationPolicy
+  def create?
+    user.is_moderator?
+  end
+
+  def update?
+    user.is_moderator?
+  end
+
+  def permitted_attributes_for_create
+    [:replacement_url, :replacement_file, :final_source, :tags]
+  end
+
+  def permitted_attributes_for_update
+    [:file_ext_was, :file_size_was, :image_width_was, :image_height_was,
+     :md5_was, :file_ext, :file_size, :image_width, :image_height, :md5,
+     :original_url, :replacement_url]
+  end
+end

test/functional/post_replacements_controller_test.rb

@@ -3,8 +3,8 @@ require 'test_helper'
 class PostReplacementsControllerTest < ActionDispatch::IntegrationTest
   context "The post replacements controller" do
     setup do
-      @user = create(:moderator_user, can_approve_posts: true, created_at: 1.month.ago)
-      @user.as_current do
+      @mod = create(:moderator_user, can_approve_posts: true, created_at: 1.month.ago)
+      as(@mod) do
         @post = create(:post, source: "https://google.com")
         @post_replacement = create(:post_replacement, post: @post)
       end
@@ -20,19 +20,25 @@ class PostReplacementsControllerTest < ActionDispatch::IntegrationTest
           }
         }
 
-        assert_difference(-> { @post.replacements.size }) do
-          post_auth post_replacements_path, @user, params: params
-          @post.reload
+        assert_difference("PostReplacement.count") do
+          post_auth post_replacements_path, @mod, params: params
+          assert_response :success
         end
 
         travel(PostReplacement::DELETION_GRACE_PERIOD + 1.day)
         perform_enqueued_jobs
 
-        assert_response :success
-        assert_equal("https://cdn.donmai.us/original/d3/4e/d34e4cf0a437a5d65f8e82b7bcd02606.jpg", @post.source)
+        assert_equal("https://cdn.donmai.us/original/d3/4e/d34e4cf0a437a5d65f8e82b7bcd02606.jpg", @post.reload.source)
         assert_equal("d34e4cf0a437a5d65f8e82b7bcd02606", @post.md5)
         assert_equal("d34e4cf0a437a5d65f8e82b7bcd02606", Digest::MD5.file(@post.file(:original)).hexdigest)
       end
+
+      should "not allow non-mods to replace posts" do
+        assert_difference("PostReplacement.count", 0) do
+          post_auth post_replacements_path(post_id: @post.id), create(:user), params: { post_replacement: { replacement_url: "https://cdn.donmai.us/original/d3/4e/d34e4cf0a437a5d65f8e82b7bcd02606.jpg" }}
+          assert_response 403
+        end
+      end
     end
 
     context "update action" do
@@ -46,9 +52,9 @@ class PostReplacementsControllerTest < ActionDispatch::IntegrationTest
           }
         }
 
-        put_auth post_replacement_path(@post_replacement), @user, params: params
-        @post_replacement.reload
-        assert_equal(23, @post_replacement.file_size_was)
+        put_auth post_replacement_path(@post_replacement), @mod, params: params
+        assert_response :success
+        assert_equal(23, @post_replacement.reload.file_size_was)
         assert_equal(42, @post_replacement.file_size)
       end
     end