From 0bf94e65a1d4ed1773e9f2496a0eec63b2ee34ef Mon Sep 17 00:00:00 2001 From: Annie Huynh <150502695+ahuynh3a@users.noreply.github.com> Date: Mon, 11 Mar 2024 18:27:04 +0000 Subject: [PATCH 1/2] added authorizations --- app/controllers/comments_controller.rb | 8 ++++++++ app/controllers/photos_controller.rb | 7 +++++++ app/models/comment.rb | 2 +- app/views/photos/_photo.html.erb | 2 ++ app/views/users/_user.html.erb | 4 ++++ app/views/users/show.html.erb | 2 ++ config/routes.rb | 8 ++++---- 7 files changed, 28 insertions(+), 5 deletions(-) diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 046a8e5d..3d65150d 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -1,5 +1,6 @@ class CommentsController < ApplicationController before_action :set_comment, only: %i[ show edit update destroy ] + before_action :is_an_authorized_user, only: [:destroy, :create] # GET /comments or /comments.json def index @@ -67,4 +68,11 @@ def set_comment def comment_params params.require(:comment).permit(:author_id, :photo_id, :body) end + + def is_an_authorized_user + @photo = Photo.find(params.fetch(:comment).fetch(:photo_id)) + if current_user != @photo.owner && @photo.owner.private? && !current_user.leaders.include?(@photo.owner) + redirect_back fallback_location: root_url, alert: "Not authorized" + end + end end diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb index 78e53163..b8fe34db 100644 --- a/app/controllers/photos_controller.rb +++ b/app/controllers/photos_controller.rb @@ -1,5 +1,6 @@ class PhotosController < ApplicationController before_action :set_photo, only: %i[ show edit update destroy ] + before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit] # GET /photos or /photos.json def index @@ -63,6 +64,12 @@ def set_photo @photo = Photo.find(params[:id]) end + def ensure_current_user_is_owner + if current_user != @photo.owner + redirect_back fallback_location: root_url, alert: "You're not authorized for that." + end + end + # Only allow a list of trusted parameters through. def photo_params params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id) diff --git a/app/models/comment.rb b/app/models/comment.rb index 14a8eb00..bc318e2c 100644 --- a/app/models/comment.rb +++ b/app/models/comment.rb @@ -22,6 +22,6 @@ class Comment < ApplicationRecord belongs_to :author, class_name: "User", counter_cache: true belongs_to :photo, counter_cache: true - + has_one :owner, through: :photo validates :body, presence: true end diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb index f0de50b8..fc2b4cfb 100644 --- a/app/views/photos/_photo.html.erb +++ b/app/views/photos/_photo.html.erb @@ -7,6 +7,7 @@
+ <%if current_user == photo.owner%> <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %> <% end %> @@ -14,6 +15,7 @@ <%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %> <% end %> + <%end%>
diff --git a/app/views/users/_user.html.erb b/app/views/users/_user.html.erb index 669ec171..17f72bd7 100644 --- a/app/views/users/_user.html.erb +++ b/app/views/users/_user.html.erb @@ -50,6 +50,8 @@
+ <% if current_user == user%> + <%= link_to "#", data: { @@ -64,6 +66,8 @@ pending <% end %> + <% end %> +
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index 5656d7d5..7bb9936d 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -4,6 +4,7 @@ +<% if current_user == @user || !@user.private? || current_user.leaders.include?(@user) %>
<%= render "users/profile_nav", user: @user %> @@ -17,3 +18,4 @@
<% end %> +<%end%> diff --git a/config/routes.rb b/config/routes.rb index 47050a54..53545094 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -4,9 +4,9 @@ devise_for :users resources :comments - resources :follow_requests - resources :likes - resources :photos + resources :follow_requests, except: [:index, :show, :new, :edit] + resources :likes, only: [:create, :destroy] + resources :photos, except: [:index] get ":username" => "users#show", as: :user get ":username/liked" => "users#liked", as: :liked @@ -14,4 +14,4 @@ get ":username/discover" => "users#discover", as: :discover get ":username/followers" => "users#followers", as: :followers get ":username/following" => "users#following", as: :following -end \ No newline at end of file +end From 17a2d9b99613a318cd7c2d6d295322243d3bb68c Mon Sep 17 00:00:00 2001 From: Annie Huynh <150502695+ahuynh3a@users.noreply.github.com> Date: Mon, 11 Mar 2024 20:38:36 +0000 Subject: [PATCH 2/2] added if statement in the _comment.thml.erb, added resources for comments and removed the destroy from the comments controller --- app/controllers/comments_controller.rb | 2 +- app/views/comments/_comment.html.erb | 2 ++ config/routes.rb | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 3d65150d..9c9325c6 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -1,6 +1,6 @@ class CommentsController < ApplicationController before_action :set_comment, only: %i[ show edit update destroy ] - before_action :is_an_authorized_user, only: [:destroy, :create] + before_action :is_an_authorized_user, only: [:create] # GET /comments or /comments.json def index diff --git a/app/views/comments/_comment.html.erb b/app/views/comments/_comment.html.erb index a7ee4c56..f5e69b8d 100644 --- a/app/views/comments/_comment.html.erb +++ b/app/views/comments/_comment.html.erb @@ -10,6 +10,7 @@

<%= comment.body %>

+ <% if current_user == comment.author%> <%= link_to edit_comment_path(comment), class: "btn btn-link btn-sm text-muted" do %> <% end %> @@ -17,6 +18,7 @@ <%= link_to comment, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %> <% end %> + <%end%>
diff --git a/config/routes.rb b/config/routes.rb index 53545094..c455b833 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -3,7 +3,7 @@ devise_for :users - resources :comments + resources :comments, except: [:index, :show, :new] resources :follow_requests, except: [:index, :show, :new, :edit] resources :likes, only: [:create, :destroy] resources :photos, except: [:index]