industrial-auth-1/app/controllers/photos_controller.rb at 64baa61d8cff4849d3c54f20690a83abde594a07 · appdev-projects/industrial-auth-1 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
class PhotosController < ApplicationController
  before_action :set_photo, only: %i[ show edit update destroy ]

  before_action :ensure_current_user_is_owner, only: [:edit, :update, :destroy]

  before_action :ensure_user_is_authorized, only: [:show]

  before_action :ensure_user_is_authorized, only: [:show]

  after_action :verify_authorized, except: [:home]
  def ensure_current_user_is_owner
    if current_user != @photo.owner
      redirect_back(fallback_location: root_url, alert: "Not allowed")
    end
  end
  def ensure_user_is_authorized
    if !PhotoPolicy.new(current_user, @photo).show?
      raise Pundit::NotAuthorizedError, "not allowed"
    end
  end

  # GET /photos or /photos.json
  def index
    @photos = Photo.all
  end

  # GET /photos/1 or /photos/1.json
  def show
    authorize @photo
  end

  # GET /photos/new
  def new
    @photo = Photo.new
    authorize @photo
  end

  # GET /photos/1/edit
  def edit

    authorize @photo
  end

  # POST /photos or /photos.json
  def create
    @photo = Photo.new(photo_params)
    @photo.owner = current_user
    authorize @photo
    respond_to do |format|
      if @photo.save
        format.html { redirect_to @photo, notice: "Photo was successfully created." }
        format.json { render :show, status: :created, location: @photo }
      else
        format.html { render :new, status: :unprocessable_entity }
        format.json { render json: @photo.errors, status: :unprocessable_entity }
      end
    end
  end

  # PATCH/PUT /photos/1 or /photos/1.json
  def update
    respond_to do |format|
      if @photo.update(photo_params)
        format.html { redirect_to @photo, notice: "Photo was successfully updated." }
        format.json { render :show, status: :ok, location: @photo }
      else
        format.html { render :edit, status: :unprocessable_entity }
        format.json { render json: @photo.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /photos/1 or /photos/1.json
  def destroy
    authorize @photo
    @photo.destroy
    respond_to do |format|
      format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." }
      format.json { head :no_content }
    end
  end

  private

  # Use callbacks to share common setup or constraints between actions.
  def set_photo
    @photo = Photo.find(params[:id])
  end

  # Only allow a list of trusted parameters through.
  def photo_params
    params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
  end
end