Ah add pundit policies

Gemfile

@@ -3,6 +3,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 ruby "3.2.1"
 
+gem "pundit"
 gem "simple_form"
 
 # Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main"

Gemfile.lock

@@ -235,6 +235,8 @@ GEM
     public_suffix (5.0.4)
     puma (5.6.7)
       nio4r (~> 2.0)
+    pundit (2.3.1)
+      activesupport (>= 3.0.0)
     racc (1.6.2)
     rack (2.2.8)
     rack-protection (3.0.6)
@@ -427,6 +429,7 @@ DEPENDENCIES
   pg (~> 1.1)
   pry-rails
   puma (~> 5.0)
+  pundit
   rails (~> 7.0.4, >= 7.0.4.3)
   rails-erd
   rails_db

app/controllers/application_controller.rb

@@ -1,12 +1,27 @@
 class ApplicationController < ActionController::Base
+  include Pundit
+  after_action :verify_authorized, unless: :devise_controller?
+  after_action :verify_policy_scoped, only: :index, unless: :devise_controller?
+
+
   before_action :authenticate_user!
 
   before_action :configure_permitted_parameters, if: :devise_controller?
-
+  
   protected
-
+  
   def configure_permitted_parameters
     devise_parameter_sanitizer.permit(:sign_up, keys: [:username, :private, :name, :bio, :website, :avatar_image])
     devise_parameter_sanitizer.permit(:account_update, keys: [:username, :private, :name, :bio, :website, :avatar_image])
   end
+
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
+  private
+
+    def user_not_authorized
+      flash[:alert] = "You are not authorized to perform this action."
+
+      redirect_back fallback_location: root_url
+    end
 end

app/controllers/comments_controller.rb

@@ -1,5 +1,6 @@
 class CommentsController < ApplicationController
   before_action :set_comment, only: %i[ show edit update destroy ]
+  before_action :authorize_comment, only: [:edit, :update, :destroy]
 
   # GET /comments or /comments.json
   def index
@@ -21,7 +22,9 @@ def edit
 
   # POST /comments or /comments.json
   def create
+    @photo = Photo.find(params[:comment][:photo_id])
     @comment = Comment.new(comment_params)
+    authorize @photo, :show?
     @comment.author = current_user
 
     respond_to do |format|
@@ -67,4 +70,8 @@ def set_comment
     def comment_params
       params.require(:comment).permit(:author_id, :photo_id, :body)
     end
+
+    def authorize_comment
+      authorize @comment
+    end
 end

app/controllers/follow_requests_controller.rb

@@ -1,29 +1,25 @@
 class FollowRequestsController < ApplicationController
   before_action :set_follow_request, only: %i[ show edit update destroy ]
+  before_action :authorize_follow_request
 
-  # GET /follow_requests or /follow_requests.json
   def index
     @follow_requests = FollowRequest.all
   end
 
-  # GET /follow_requests/1 or /follow_requests/1.json
   def show
   end
 
-  # GET /follow_requests/new
   def new
     @follow_request = FollowRequest.new
   end
 
-  # GET /follow_requests/1/edit
   def edit
   end
 
-  # POST /follow_requests or /follow_requests.json
   def create
     @follow_request = FollowRequest.new(follow_request_params)
+    authorize @follow_request
     @follow_request.sender = current_user
-
     respond_to do |format|
       if @follow_request.save
         format.html { redirect_back fallback_location: root_url, notice: "Follow request was successfully created." }
@@ -35,7 +31,6 @@ def create
     end
   end
 
-  # PATCH/PUT /follow_requests/1 or /follow_requests/1.json
   def update
     respond_to do |format|
       if @follow_request.update(follow_request_params)
@@ -48,7 +43,6 @@ def update
     end
   end
 
-  # DELETE /follow_requests/1 or /follow_requests/1.json
   def destroy
     @follow_request.destroy
     respond_to do |format|
@@ -58,13 +52,16 @@ def destroy
   end
 
   private
-    # Use callbacks to share common setup or constraints between actions.
     def set_follow_request
       @follow_request = FollowRequest.find(params[:id])
     end
 
-    # Only allow a list of trusted parameters through.
     def follow_request_params
       params.require(:follow_request).permit(:recipient_id, :sender_id, :status)
     end
+
+    def authorize_follow_request
+      authorize @follow_request || FollowRequest
+    end
+
 end

app/controllers/photos_controller.rb

@@ -1,9 +1,11 @@
 class PhotosController < ApplicationController
   before_action :set_photo, only: %i[ show edit update destroy ]
+  before_action :authorize_photo, only: [:show, :edit, :update, :destroy]
 
   # GET /photos or /photos.json
   def index
-    @photos = Photo.all
+    @photos = policy_scope(Photo)
+    authorize Photo
   end
 
   # GET /photos/1 or /photos/1.json
@@ -13,6 +15,7 @@ def show
   # GET /photos/new
   def new
     @photo = Photo.new
+    authorize Photo
   end
 
   # GET /photos/1/edit
@@ -23,6 +26,7 @@ def edit
   def create
     @photo = Photo.new(photo_params)
     @photo.owner = current_user
+    authorize @photo
 
     respond_to do |format|
       if @photo.save
@@ -67,4 +71,9 @@ def set_photo
     def photo_params
       params.require(:photo).permit(:image, :comments_count, :likes_count, :caption, :owner_id)
     end
-end
+
+    def authorize_photo
+      authorize @photo
+    end
+
+  end

app/controllers/users_controller.rb

@@ -1,6 +1,6 @@
 class UsersController < ApplicationController
   before_action :set_user, only: %i[ show liked feed followers following discover ]
-
+  before_action { authorize @user }
   private
 
     def set_user
@@ -10,4 +10,4 @@ def set_user
         @user = current_user
       end
     end
-end
+end

app/models/comment.rb

@@ -22,6 +22,6 @@
 class Comment < ApplicationRecord
   belongs_to :author, class_name: "User", counter_cache: true
   belongs_to :photo, counter_cache: true
-
+  has_one :owner, through: :photo
   validates :body, presence: true
 end

app/policies/application_policy.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  class Scope
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      raise NotImplementedError, "You must define #resolve in #{self.class}"
+    end
+
+    private
+
+    attr_reader :user, :scope
+  end
+end

app/policies/comment_policy.rb

@@ -0,0 +1,25 @@
+class CommentPolicy < ApplicationPolicy
+  attr_reader :user, :comment
+
+  def initialize(user,comment)
+    @user = user
+    @comment = comment
+  end 
+
+  def edit?
+    update?
+  end
+
+  def update?
+    user == comment.author
+  end
+
+  def destroy?
+    user == comment.author
+  end
+
+
+  # def create?
+    # refer to Photo Policy show action
+  # end
+end

app/policies/follow_request_policy.rb

@@ -0,0 +1,28 @@
+class FollowRequestPolicy < ApplicationPolicy
+  attr_reader :user, :follow_request
+
+  def initialize(user,follow_request)
+    @user = user
+    @follow_request = follow_request
+  end 
+
+  def show?
+    user == follow_request.recipient
+  end 
+
+  def edit?
+    user == follow_request.recipient || user == follow_request.sender
+  end
+
+  def create?
+    true
+  end
+
+  def destroy?
+    user == follow_request.recipient || user == follow_request.sender
+  end
+
+  def update?
+    destroy?
+  end
+end

app/policies/photo_policy.rb

@@ -0,0 +1,45 @@
+class PhotoPolicy < ApplicationPolicy
+  attr_reader :user, :photo
+
+  def initialize(user,photo)
+    @user = user
+    @photo = photo
+  end
+
+  def new?
+    create?
+  end
+
+  def create?
+    !user.nil?
+  end
+
+  def index?
+    true
+  end
+
+  def show?
+    user == photo.owner ||
+     !photo.owner.private? ||
+     photo.owner.followers.include?(user)
+  end
+
+  def destroy?
+    user == photo.owner
+  end
+
+  def update?
+    user == photo.owner
+  end
+
+  def edit?
+      update?
+  end
+
+  class Scope < Scope
+    def resolve
+      scope.where(owner: user)
+    end
+  end
+
+end