From 0bf94e65a1d4ed1773e9f2496a0eec63b2ee34ef Mon Sep 17 00:00:00 2001
From: Annie Huynh <150502695+ahuynh3a@users.noreply.github.com>
Date: Mon, 11 Mar 2024 18:27:04 +0000
Subject: [PATCH 1/2] added authorizations
---
app/controllers/comments_controller.rb | 8 ++++++++
app/controllers/photos_controller.rb | 7 +++++++
app/models/comment.rb | 2 +-
app/views/photos/_photo.html.erb | 2 ++
app/views/users/_user.html.erb | 4 ++++
app/views/users/show.html.erb | 2 ++
config/routes.rb | 8 ++++----
7 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 046a8e5d..3d65150d 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,5 +1,6 @@
class CommentsController < ApplicationController
before_action :set_comment, only: %i[ show edit update destroy ]
+ before_action :is_an_authorized_user, only: [:destroy, :create]
# GET /comments or /comments.json
def index
@@ -67,4 +68,11 @@ def set_comment
def comment_params
params.require(:comment).permit(:author_id, :photo_id, :body)
end
+
+ def is_an_authorized_user
+ @photo = Photo.find(params.fetch(:comment).fetch(:photo_id))
+ if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner)
+ redirect_back fallback_location: root_url, alert: "Not authorized"
+ end
+ end
end
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 78e53163..b8fe34db 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -1,5 +1,6 @@
class PhotosController < ApplicationController
before_action :set_photo, only: %i[ show edit update destroy ]
+ before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit]
# GET /photos or /photos.json
def index
@@ -63,6 +64,12 @@ def set_photo
@photo = Photo.find(params[:id])
end
+ def ensure_current_user_is_owner
+ if current_user != @photo.owner
+ redirect_back fallback_location: root_url, alert: "You're not authorized for that."
+ end
+ end
+
# Only allow a list of trusted parameters through.
def photo_params
params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
diff --git a/app/models/comment.rb b/app/models/comment.rb
index 14a8eb00..bc318e2c 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -22,6 +22,6 @@
class Comment < ApplicationRecord
belongs_to :author, class_name: "User", counter_cache: true
belongs_to :photo, counter_cache: true
-
+ has_one :owner, through: :photo
validates :body, presence: true
end
diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb
index f0de50b8..fc2b4cfb 100644
--- a/app/views/photos/_photo.html.erb
+++ b/app/views/photos/_photo.html.erb
@@ -7,6 +7,7 @@
+ <%if current_user == photo.owner%>
<%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %>
<% end %>
@@ -14,6 +15,7 @@
<%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %>
<% end %>
+ <%end%>
diff --git a/app/views/users/_user.html.erb b/app/views/users/_user.html.erb
index 669ec171..17f72bd7 100644
--- a/app/views/users/_user.html.erb
+++ b/app/views/users/_user.html.erb
@@ -50,6 +50,8 @@
+ <% if current_user == user%>
+
<%=
link_to "#",
data: {
@@ -64,6 +66,8 @@
pending
<% end %>
+ <% end %>
+
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
index 5656d7d5..7bb9936d 100644
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@@ -4,6 +4,7 @@
+<% if current_user == @user || !@user.private? || current_user.leaders.include?(@user) %>
<%= render "users/profile_nav", user: @user %>
@@ -17,3 +18,4 @@
<% end %>
+<%end%>
diff --git a/config/routes.rb b/config/routes.rb
index 47050a54..53545094 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -4,9 +4,9 @@
devise_for :users
resources :comments
- resources :follow_requests
- resources :likes
- resources :photos
+ resources :follow_requests, except: [:index, :show, :new, :edit]
+ resources :likes, only: [:create, :destroy]
+ resources :photos, except: [:index]
get ":username" => "users#show", as: :user
get ":username/liked" => "users#liked", as: :liked
@@ -14,4 +14,4 @@
get ":username/discover" => "users#discover", as: :discover
get ":username/followers" => "users#followers", as: :followers
get ":username/following" => "users#following", as: :following
-end
\ No newline at end of file
+end
From 17a2d9b99613a318cd7c2d6d295322243d3bb68c Mon Sep 17 00:00:00 2001
From: Annie Huynh <150502695+ahuynh3a@users.noreply.github.com>
Date: Mon, 11 Mar 2024 20:38:36 +0000
Subject: [PATCH 2/2] added if statement in the _comment.thml.erb, added
resources for comments and removed the destroy from the comments controller
---
app/controllers/comments_controller.rb | 2 +-
app/views/comments/_comment.html.erb | 2 ++
config/routes.rb | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 3d65150d..9c9325c6 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,6 +1,6 @@
class CommentsController < ApplicationController
before_action :set_comment, only: %i[ show edit update destroy ]
- before_action :is_an_authorized_user, only: [:destroy, :create]
+ before_action :is_an_authorized_user, only: [:create]
# GET /comments or /comments.json
def index
diff --git a/app/views/comments/_comment.html.erb b/app/views/comments/_comment.html.erb
index a7ee4c56..f5e69b8d 100644
--- a/app/views/comments/_comment.html.erb
+++ b/app/views/comments/_comment.html.erb
@@ -10,6 +10,7 @@
<%= comment.body %>
+ <% if current_user == comment.author%>
<%= link_to edit_comment_path(comment), class: "btn btn-link btn-sm text-muted" do %>
<% end %>
@@ -17,6 +18,7 @@
<%= link_to comment, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %>
<% end %>
+ <%end%>
diff --git a/config/routes.rb b/config/routes.rb
index 53545094..c455b833 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -3,7 +3,7 @@
devise_for :users
- resources :comments
+ resources :comments, except: [:index, :show, :new]
resources :follow_requests, except: [:index, :show, :new, :edit]
resources :likes, only: [:create, :destroy]
resources :photos, except: [:index]