pundit: convert post versions to pundit.

app/controllers/post_versions_controller.rb

@@ -1,5 +1,4 @@
 class PostVersionsController < ApplicationController
-  before_action :member_only, except: [:index, :search]
   before_action :check_availabililty
   around_action :set_timeout
   respond_to :html, :xml, :json
@@ -7,7 +6,7 @@ class PostVersionsController < ApplicationController
 
   def index
     set_version_comparison
-    @post_versions = PostVersion.paginated_search(params)
+    @post_versions = authorize PostVersion.paginated_search(params)
 
     if request.format.html?
       @post_versions = @post_versions.includes(:updater, post: [:uploader, :versions])
@@ -22,7 +21,7 @@ class PostVersionsController < ApplicationController
   end
 
   def undo
-    @post_version = PostVersion.find(params[:id])
+    @post_version = authorize PostVersion.find(params[:id])
     @post_version.undo!
 
     respond_with(@post_version)

app/models/post_version.rb

@@ -233,14 +233,6 @@ class PostVersion < ApplicationRecord
     post.save!
   end
 
-  def can_undo?(user)
-    version > 1 && post&.visible? && user.is_member?
-  end
-
-  def can_revert_to?(user)
-    post&.visible? && user.is_member?
-  end
-
   def api_attributes
     super + [:obsolete_added_tags, :obsolete_removed_tags, :unchanged_tags]
   end

app/policies/post_version_policy.rb

@@ -0,0 +1,9 @@
+class PostVersionPolicy < ApplicationPolicy
+  def undo?
+    unbanned? && record.version > 1 && record.post.present? && policy(record.post).visible?
+  end
+
+  def can_mass_undo?
+    user.is_builder?
+  end
+end

app/views/post_versions/_listing.html.erb

@@ -4,9 +4,9 @@
   <% end %>
 
     <%= table_for @post_versions, {id: "post-versions-table", class: "striped autofit"} do |t| %>
-      <% if CurrentUser.user.is_builder? %>
+      <% if policy(@post_versions).can_mass_undo? %>
         <% t.column tag.label(tag.input type: :checkbox, id: "post-version-select-all-checkbox", class: "post-version-select-checkbox"), column: "post-version-select" do |post_version| %>
-          <input type="checkbox" class="post-version-select-checkbox" <%= "disabled" unless post_version.can_undo?(CurrentUser.user) %>>
+          <input type="checkbox" class="post-version-select-checkbox" <%= "disabled" unless policy(post_version).undo? %>>
         <% end %>
       <% end %>
       <% if listing_type(:post_id) == :standard %>
@@ -31,10 +31,10 @@
         </div>
       <% end %>
       <% t.column do |post_version| %>
-        <% if post_version.can_undo?(CurrentUser.user) %>
+        <% if policy(post_version).can_undo? %>
           <%= link_to "Undo", undo_post_version_path(post_version), method: :put, remote: true, class: "post-version-undo-link" %>
         <% end %>
-        <% if listing_type(:post_id) == :revert && post_version.can_revert_to?(CurrentUser.user) %>
+        <% if listing_type(:post_id) == :revert && policy(post_version.post).revert? %>
           | <%= link_to "Revert to", revert_post_path(post_version.post_id, version_id: post_version.id), method: :put, remote: true %>
         <% end %>
       <% end %>

test/functional/post_versions_controller_test.rb

@@ -3,30 +3,26 @@ require 'test_helper'
 class PostVersionsControllerTest < ActionDispatch::IntegrationTest
   setup do
     @user = create(:user)
+
+    as(@user) do
+      @post = create(:post, tag_string: "tagme", rating: "s")
+      travel(2.hours) { @post.update(tag_string: "1 2", source: "xxx") }
+      travel(4.hours) { @post.update(tag_string: "2 3", rating: "e") }
+      @post2 = create(:post)
+    end
   end
 
   context "The post versions controller" do
     context "index action" do
       setup do
-        @user.as_current do
-          @post = create(:post)
-          travel(2.hours) do
-            @post.update(:tag_string => "1 2", :source => "xxx")
-          end
-          travel(4.hours) do
-            @post.update(:tag_string => "2 3", :rating => "e")
-          end
-          @versions = @post.versions
-          @post2 = create(:post)
-        end
       end
 
       should "list all versions" do
         get_auth post_versions_path, @user
         assert_response :success
-        assert_select "#post-version-#{@versions[0].id}"
+        assert_select "#post-version-#{@post.versions[0].id}"
-        assert_select "#post-version-#{@versions[1].id}"
+        assert_select "#post-version-#{@post.versions[1].id}"
-        assert_select "#post-version-#{@versions[2].id}"
+        assert_select "#post-version-#{@post.versions[2].id}"
       end
 
       should "list all versions that match the search criteria" do
@@ -38,12 +34,27 @@ class PostVersionsControllerTest < ActionDispatch::IntegrationTest
       should "list all versions for search[changed_tags]" do
         get post_versions_path, as: :json, params: { search: { changed_tags: "1" }}
         assert_response :success
-        assert_equal @versions[1].id, response.parsed_body[1]["id"].to_i
+        assert_equal @post.versions[1].id, response.parsed_body[1]["id"].to_i
-        assert_equal @versions[2].id, response.parsed_body[0]["id"].to_i
+        assert_equal @post.versions[2].id, response.parsed_body[0]["id"].to_i
 
         get post_versions_path, as: :json, params: { search: { changed_tags: "1 2" }}
         assert_response :success
-        assert_equal @versions[1].id, response.parsed_body[0]["id"].to_i
+        assert_equal @post.versions[1].id, response.parsed_body[0]["id"].to_i
+      end
+    end
+
+    context "undo action" do
+      should "undo the edit" do
+        put_auth undo_post_version_path(@post.versions.first), @user
+        assert_response :success
+        assert_equal("s", @post.reload.rating)
+        assert_equal("tagme", @post.reload.tag_string)
+      end
+
+      should "not allow non-members to undo edits" do
+        put undo_post_version_path(@post.versions.first)
+        assert_response 403
+        assert_equal("2 3", @post.reload.tag_string)
       end
     end
   end