From dd39913e558e3b005895f2c8f5cde7fca1163cff Mon Sep 17 00:00:00 2001 From: evazion Date: Fri, 20 Mar 2020 00:30:37 -0500 Subject: [PATCH] pundit: convert post replacements to pundit. --- .../post_replacements_controller.rb | 27 +++++-------------- app/policies/post_replacement_policy.rb | 19 +++++++++++++ .../post_replacements_controller_test.rb | 26 +++++++++++------- 3 files changed, 41 insertions(+), 31 deletions(-) create mode 100644 app/policies/post_replacement_policy.rb diff --git a/app/controllers/post_replacements_controller.rb b/app/controllers/post_replacements_controller.rb index b3497595a..45268ae8d 100644 --- a/app/controllers/post_replacements_controller.rb +++ b/app/controllers/post_replacements_controller.rb @@ -1,46 +1,31 @@ class PostReplacementsController < ApplicationController respond_to :html, :xml, :json, :js - before_action :moderator_only, except: [:index] def new - @post_replacement = Post.find(params[:post_id]).replacements.new + @post_replacement = authorize PostReplacement.new(post_id: params[:post_id], **permitted_attributes(PostReplacement)) respond_with(@post_replacement) end def create - @post = Post.find(params[:post_id]) - @post_replacement = @post.replace!(create_params) + @post = authorize Post.find(params[:post_id]), policy_class: PostReplacementPolicy + @post_replacement = @post.replace!(permitted_attributes(PostReplacement)) flash[:notice] = "Post replaced" respond_with(@post_replacement, location: @post) end def update - @post_replacement = PostReplacement.find(params[:id]) - @post_replacement.update(update_params) + @post_replacement = authorize PostReplacement.find(params[:id]) + @post_replacement.update(permitted_attributes(@post_replacement)) respond_with(@post_replacement) end def index params[:search][:post_id] = params.delete(:post_id) if params.key?(:post_id) - @post_replacements = PostReplacement.paginated_search(params) + @post_replacements = authorize PostReplacement.paginated_search(params) @post_replacements = @post_replacements.includes(:creator, post: :uploader) if request.format.html? respond_with(@post_replacements) end - - private - - def create_params - params.require(:post_replacement).permit(:replacement_url, :replacement_file, :final_source, :tags) - end - - def update_params - params.require(:post_replacement).permit( - :file_ext_was, :file_size_was, :image_width_was, :image_height_was, :md5_was, - :file_ext, :file_size, :image_width, :image_height, :md5, - :original_url, :replacement_url - ) - end end diff --git a/app/policies/post_replacement_policy.rb b/app/policies/post_replacement_policy.rb new file mode 100644 index 000000000..0cec75193 --- /dev/null +++ b/app/policies/post_replacement_policy.rb @@ -0,0 +1,19 @@ +class PostReplacementPolicy < ApplicationPolicy + def create? + user.is_moderator? + end + + def update? + user.is_moderator? + end + + def permitted_attributes_for_create + [:replacement_url, :replacement_file, :final_source, :tags] + end + + def permitted_attributes_for_update + [:file_ext_was, :file_size_was, :image_width_was, :image_height_was, + :md5_was, :file_ext, :file_size, :image_width, :image_height, :md5, + :original_url, :replacement_url] + end +end diff --git a/test/functional/post_replacements_controller_test.rb b/test/functional/post_replacements_controller_test.rb index df9caeeda..26f41ccf5 100644 --- a/test/functional/post_replacements_controller_test.rb +++ b/test/functional/post_replacements_controller_test.rb @@ -3,8 +3,8 @@ require 'test_helper' class PostReplacementsControllerTest < ActionDispatch::IntegrationTest context "The post replacements controller" do setup do - @user = create(:moderator_user, can_approve_posts: true, created_at: 1.month.ago) - @user.as_current do + @mod = create(:moderator_user, can_approve_posts: true, created_at: 1.month.ago) + as(@mod) do @post = create(:post, source: "https://google.com") @post_replacement = create(:post_replacement, post: @post) end @@ -20,19 +20,25 @@ class PostReplacementsControllerTest < ActionDispatch::IntegrationTest } } - assert_difference(-> { @post.replacements.size }) do - post_auth post_replacements_path, @user, params: params - @post.reload + assert_difference("PostReplacement.count") do + post_auth post_replacements_path, @mod, params: params + assert_response :success end travel(PostReplacement::DELETION_GRACE_PERIOD + 1.day) perform_enqueued_jobs - assert_response :success - assert_equal("https://cdn.donmai.us/original/d3/4e/d34e4cf0a437a5d65f8e82b7bcd02606.jpg", @post.source) + assert_equal("https://cdn.donmai.us/original/d3/4e/d34e4cf0a437a5d65f8e82b7bcd02606.jpg", @post.reload.source) assert_equal("d34e4cf0a437a5d65f8e82b7bcd02606", @post.md5) assert_equal("d34e4cf0a437a5d65f8e82b7bcd02606", Digest::MD5.file(@post.file(:original)).hexdigest) end + + should "not allow non-mods to replace posts" do + assert_difference("PostReplacement.count", 0) do + post_auth post_replacements_path(post_id: @post.id), create(:user), params: { post_replacement: { replacement_url: "https://cdn.donmai.us/original/d3/4e/d34e4cf0a437a5d65f8e82b7bcd02606.jpg" }} + assert_response 403 + end + end end context "update action" do @@ -46,9 +52,9 @@ class PostReplacementsControllerTest < ActionDispatch::IntegrationTest } } - put_auth post_replacement_path(@post_replacement), @user, params: params - @post_replacement.reload - assert_equal(23, @post_replacement.file_size_was) + put_auth post_replacement_path(@post_replacement), @mod, params: params + assert_response :success + assert_equal(23, @post_replacement.reload.file_size_was) assert_equal(42, @post_replacement.file_size) end end