appdev-projects · bibimbop123 · Feb 6, 2025 · Feb 6, 2025 · Feb 6, 2025 · Feb 6, 2025
diff --git a/Gemfile b/Gemfile
@@ -12,6 +12,8 @@ gem "sprockets-rails"
 # Use postgresql as the database for Active Record
 gem "pg", "~> 1.1"
 
+gem "pundit"
+
 # Use the Puma web server [https://github.com/puma/puma]
 gem "puma"
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -266,6 +266,8 @@ GEM
     public_suffix (5.0.5)
     puma (6.4.2)
       nio4r (~> 2.0)
+    pundit (2.4.0)
+      activesupport (>= 3.0.0)
     racc (1.8.0)
     rack (3.0.11)
     rack-session (2.0.0)
@@ -464,6 +466,7 @@ DEPENDENCIES
   pg (~> 1.1)
   pry-rails
   puma
+  pundit
   rails (~> 7.1.3, >= 7.1.3.2)
   rails-erd
   rails_db

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,12 +1,33 @@
 class ApplicationController < ActionController::Base
+  include Pundit::Authorization
+  after_action :verify_authorized, unless: :devise_controller?
   before_action :authenticate_user!
 
   before_action :configure_permitted_parameters, if: :devise_controller?
 
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
   protected
 
   def configure_permitted_parameters
     devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image])
     devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image])
   end
+
+  private
+
+    def user_not_authorized
+      flash[:alert] = "You are not authorized to perform this action."
+
+      redirect_back fallback_location: root_url
+    end
+
+  protected
+
+    def configure_permitted_parameters
+      devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image])
+      devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image])
+    end
+
+
 end
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
@@ -8,21 +8,25 @@ def index
 
   # GET /comments/1 or /comments/1.json
   def show
+    authorize @comment
   end
 
   # GET /comments/new
   def new
     @comment = Comment.new
+    authorize @comment
   end
 
   # GET /comments/1/edit
   def edit
+    authorize @comment
   end
 
   # POST /comments or /comments.json
   def create
     @comment = Comment.new(comment_params)
     @comment.author = current_user
+    authorize @comment
 
     respond_to do |format|
       if @comment.save
@@ -37,6 +41,7 @@ def create
 
   # PATCH/PUT /comments/1 or /comments/1.json
   def update
+    authorize @comment
     respond_to do |format|
       if @comment.update(comment_params)
         format.html { redirect_to root_url, notice: "Comment was successfully updated." }
@@ -50,6 +55,7 @@ def update
 
   # DELETE /comments/1 or /comments/1.json
   def destroy
+    authorize @comment
     @comment.destroy
     respond_to do |format|
       format.html { redirect_back fallback_location: root_url, notice: "Comment was successfully destroyed." }

diff --git a/app/controllers/follow_requests_controller.rb b/app/controllers/follow_requests_controller.rb
@@ -8,21 +8,25 @@ def index
 
   # GET /follow_requests/1 or /follow_requests/1.json
   def show
+    authorize @follow_request
   end
 
   # GET /follow_requests/new
   def new
     @follow_request = FollowRequest.new
+    authorize @follow_request
   end
 
   # GET /follow_requests/1/edit
   def edit
+    authorize @follow_request
   end
 
   # POST /follow_requests or /follow_requests.json
   def create
     @follow_request = FollowRequest.new(follow_request_params)
     @follow_request.sender = current_user
+    authorize @follow_request
 
     respond_to do |format|
       if @follow_request.save
@@ -37,6 +41,7 @@ def create
 
   # PATCH/PUT /follow_requests/1 or /follow_requests/1.json
   def update
+    authorize @follow_request
     respond_to do |format|
       if @follow_request.update(follow_request_params)
         format.html { redirect_back fallback_location: root_url, notice: "Follow request was successfully updated." }
@@ -50,6 +55,7 @@ def update
 
   # DELETE /follow_requests/1 or /follow_requests/1.json
   def destroy
+    authorize @follow_request
     @follow_request.destroy
     respond_to do |format|
       format.html { redirect_back fallback_location: root_url, notice: "Follow request was successfully destroyed." }

diff --git a/app/controllers/likes_controller.rb b/app/controllers/likes_controller.rb
@@ -8,20 +8,24 @@ def index
 
   # GET /likes/1 or /likes/1.json
   def show
+    authorize @like
   end
 
   # GET /likes/new
   def new
     @like = Like.new
+    authorize @like
   end
 
   # GET /likes/1/edit
   def edit
+    authorize @like
   end
 
   # POST /likes or /likes.json
   def create
     @like = Like.new(like_params)
+    authorize @like
 
     respond_to do |format|
       if @like.save
@@ -36,6 +40,7 @@ def create
 
   # PATCH/PUT /likes/1 or /likes/1.json
   def update
+    authorize @like
     respond_to do |format|
       if @like.update(like_params)
         format.html { redirect_to @like, notice: "Like was successfully updated." }
@@ -49,6 +54,7 @@ def update
 
   # DELETE /likes/1 or /likes/1.json
   def destroy
+    authorize @like
     @like.destroy
     respond_to do |format|
       format.html { redirect_back fallback_location: root_url, notice: "Like was successfully destroyed." }

diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
@@ -1,5 +1,6 @@
 class PhotosController < ApplicationController
   before_action :set_photo, only: %i[ show edit update destroy ]
+  before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit]
 
   # GET /photos or /photos.json
   def index
@@ -8,6 +9,7 @@ def index
 
   # GET /photos/1 or /photos/1.json
   def show
+    authorize @photo
   end
 
   # GET /photos/new
@@ -50,10 +52,13 @@ def update
 
   # DELETE /photos/1 or /photos/1.json
   def destroy
+    if current_user == @photo.owner
     @photo.destroy
     respond_to do |format|
       format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." }
       format.json { head :no_content }
+    else
+      redirect_back(fallback_location: root_url, notice: "Nice try, but that is not your photo.")
     end
   end
 
@@ -67,4 +72,11 @@ def set_photo
     def photo_params
       params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
     end
+
+    def ensure_current_user_is_owner
+      if current_user != @photo.owner
+        redirect_back fallback_location: root_url, alert: "You're not authorized for that."
+      end
+    end
+
 end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -1,13 +1,28 @@
 class UsersController < ApplicationController
   before_action :set_user, only: %i[ show liked feed followers following discover ]
+
+  def show
+  end
+  def liked
+  end
+  def feed
+  end
+  def followers 
+  end
+  def following
+  end
+  def discover 
+  end
 
   private
 
     def set_user
       if params[:username]
         @user = User.find_by!(username: params.fetch(:username))
+        authorize @user 
       else
         @user = current_user
+        authorize @user 
       end
     end
-end
+end
diff --git a/app/models/comment.rb b/app/models/comment.rb
@@ -22,6 +22,7 @@
 class Comment < ApplicationRecord
   belongs_to :author, class_name: "User", counter_cache: true
   belongs_to :photo, counter_cache: true
+  has_one :owner, through: :photo
 
   validates :body, presence: true
 end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  class Scope
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      raise NoMethodError, "You must define #resolve in #{self.class}"
+    end
+
+    private
+
+    attr_reader :user, :scope
+  end
+end
diff --git a/app/policies/comment_policy.rb b/app/policies/comment_policy.rb
@@ -0,0 +1,32 @@
+class CommentPolicy < ApplicationPolicy
+  attr_reader :user, :comment
+
+  def initialize(user, comment)
+    @user = user
+    @comment = comment
+  end
+
+  def show?
+    @user == @comment.author
+  end
+
+  def new?
+    show?
+  end
+
+  def edit?
+    show?
+  end
+
+  def create?
+    show?
+  end
+
+  def update?
+    show?
+  end
+
+  def destroy?
+    show?
+  end
+end
diff --git a/app/policies/follow_request_policy.rb b/app/policies/follow_request_policy.rb
@@ -0,0 +1,32 @@
+class FollowRequestPolicy < ApplicationPolicy
+  attr_reader :user, :follow_request
+
+  def initialize(user, follow_request)
+    @user = user
+    @follow_request = follow_request
+  end
+
+  def show?
+    @user == @follow_request.recipient
+  end
+
+  def new?
+    @user == @follow_request.sender
+  end
+
+  def edit?
+    true
+  end
+
+  def create?
+    new?
+  end
+
+  def update?
+    true
+  end
+
+  def destroy?
+    true
+  end
+end