diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 046a8e5d..9c9325c6 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -1,5 +1,6 @@ class CommentsController < ApplicationController before_action :set_comment, only: %i[ show edit update destroy ] + before_action :is_an_authorized_user, only: [:create] # GET /comments or /comments.json def index @@ -67,4 +68,11 @@ def set_comment def comment_params params.require(:comment).permit(:author_id, :photo_id, :body) end + + def is_an_authorized_user + @photo = Photo.find(params.fetch(:comment).fetch(:photo_id)) + if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner) + redirect_back fallback_location: root_url, alert: "Not authorized" + end + end end diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb index 78e53163..b8fe34db 100644 --- a/app/controllers/photos_controller.rb +++ b/app/controllers/photos_controller.rb @@ -1,5 +1,6 @@ class PhotosController < ApplicationController before_action :set_photo, only: %i[ show edit update destroy ] + before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit] # GET /photos or /photos.json def index @@ -63,6 +64,12 @@ def set_photo @photo = Photo.find(params[:id]) end + def ensure_current_user_is_owner + if current_user != @photo.owner + redirect_back fallback_location: root_url, alert: "You're not authorized for that." + end + end + # Only allow a list of trusted parameters through. def photo_params params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id) diff --git a/app/models/comment.rb b/app/models/comment.rb index 14a8eb00..bc318e2c 100644 --- a/app/models/comment.rb +++ b/app/models/comment.rb @@ -22,6 +22,6 @@ class Comment < ApplicationRecord belongs_to :author, class_name: "User", counter_cache: true belongs_to :photo, counter_cache: true - + has_one :owner, through: :photo validates :body, presence: true end diff --git a/app/views/comments/_comment.html.erb b/app/views/comments/_comment.html.erb index a7ee4c56..f5e69b8d 100644 --- a/app/views/comments/_comment.html.erb +++ b/app/views/comments/_comment.html.erb @@ -10,6 +10,7 @@

<%= comment.body %>

+ <% if current_user == comment.author%> <%= link_to edit_comment_path(comment), class: "btn btn-link btn-sm text-muted" do %> <% end %> @@ -17,6 +18,7 @@ <%= link_to comment, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %> <% end %> + <%end%>
diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb index f0de50b8..fc2b4cfb 100644 --- a/app/views/photos/_photo.html.erb +++ b/app/views/photos/_photo.html.erb @@ -7,6 +7,7 @@
+ <%if current_user == photo.owner%> <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %> <% end %> @@ -14,6 +15,7 @@ <%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %> <% end %> + <%end%>
diff --git a/app/views/users/_user.html.erb b/app/views/users/_user.html.erb index 669ec171..17f72bd7 100644 --- a/app/views/users/_user.html.erb +++ b/app/views/users/_user.html.erb @@ -50,6 +50,8 @@
+ <% if current_user == user%> + <%= link_to "#", data: { @@ -64,6 +66,8 @@ pending <% end %> + <% end %> +
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index 5656d7d5..7bb9936d 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -4,6 +4,7 @@ +<% if current_user == @user || !@user.private? || current_user.leaders.include?(@user) %>
<%= render "users/profile_nav", user: @user %> @@ -17,3 +18,4 @@
<% end %> +<%end%> diff --git a/config/routes.rb b/config/routes.rb index 47050a54..c455b833 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -3,10 +3,10 @@ devise_for :users - resources :comments - resources :follow_requests - resources :likes - resources :photos + resources :comments, except: [:index, :show, :new] + resources :follow_requests, except: [:index, :show, :new, :edit] + resources :likes, only: [:create, :destroy] + resources :photos, except: [:index] get ":username" => "users#show", as: :user get ":username/liked" => "users#liked", as: :liked @@ -14,4 +14,4 @@ get ":username/discover" => "users#discover", as: :discover get ":username/followers" => "users#followers", as: :followers get ":username/following" => "users#following", as: :following -end \ No newline at end of file +end