Merge pull request #10 from zunairkhan811/authorization

Authorization For Blog App

.rubocop.yml

@@ -11,7 +11,7 @@ AllCops:
   DisplayCopNames: true
 
 Layout/LineLength:
-  Max: 120
+  Max: 150
 Metrics/MethodLength:
   Include:
     - "app/controllers/*"

Gemfile

@@ -72,6 +72,6 @@ group :test do
   gem 'selenium-webdriver'
 end
 gem 'bootstrap_form', '~> 5.4'
-gem 'rubocop', '>= 1.0', '< 2.0'
-
+gem 'cancancan'
 gem 'devise', '~> 4.9'
+gem 'rubocop', '>= 1.0', '< 2.0'

Gemfile.lock

@@ -77,6 +77,7 @@ GEM
       actionpack (>= 6.1)
       activemodel (>= 6.1)
     builder (3.2.4)
+    cancancan (3.5.0)
     capybara (3.39.2)
       addressable
       matrix
@@ -279,6 +280,7 @@ PLATFORMS
 DEPENDENCIES
   bootsnap
   bootstrap_form (~> 5.4)
+  cancancan
   capybara
   debug
   devise (~> 4.9)

app/controllers/application_controller.rb

@@ -1,9 +1,4 @@
 class ApplicationController < ActionController::Base
   before_action :authenticate_user!
-  # protect_from_forgery with: :exception
-  # helper_method :current_user
-
-  # def current_user
-  #   @current_user ||= User.first
-  # end
+  include CanCan::ControllerAdditions
 end

app/controllers/comments_controller.rb

@@ -1,10 +1,59 @@
 class CommentsController < ApplicationController
+  before_action :set_user
+  before_action :set_post
+  def index
+    @comments = @post.comments
+  end
+
+  def new
+    @comment = Comment.new
+  end
+
   def create
-    @comment = Comment.new(user_id: current_user.id, post_id: params[:post_id], text: params[:text])
+    @comment = @post.comments.build(comment_params)
+    @comment.user = current_user
     if @comment.save
-      redirect_to user_post_path(:user_id, :post_id), notice: 'Your comment has been successfully created.'
+      redirect_to user_post_path(@post.author, @post), notice: '🎊 Bravo, you have created your comment!'
     else
-      redirect_to user_post_path(:user_id, :post_id), alert: 'Error creating comment.'
+      flash[:alert] = 'Apologies try again!'
+      redirect_to user_post_path(@post.author, @post)
     end
   end
+
+  # def create
+  #   # puts "Params: #{params.inspect}"
+  #   @comment = Comment.new(comment_params)
+  #   @comment.user_id = params[:user_id]
+  #   @comment.post_id = params[:post_id]
+  #   puts "Comment before save: #{@comment.inspect}"
+  #   if @comment.save
+  #     redirect_to user_posts_path(current_user), notice: 'Comment created successfully.'
+  #   else
+  #     render :new, notice: 'Error occured in creating a comment'
+  #   end
+  # end
+
+  def show; end
+
+  def destroy
+    @comment = Comment.find(params[:id])
+    authorize! :destroy, @comment
+    return unless @comment.destroy
+
+    redirect_to user_posts_path(current_user), notice: 'Comment has been deleted successfully'
+  end
+
+  private
+
+  def set_user
+    @user = User.find(params[:user_id])
+  end
+
+  def set_post
+    @post = Post.find(params[:post_id])
+  end
+
+  def comment_params
+    params.require(:comment).permit(:text, :user_id, :post_id)
+  end
 end

app/controllers/posts_controller.rb

@@ -6,20 +6,30 @@ def index
   end
 
   def new
+    # @user = current_user
     @post = Post.new
   end
 
   def create
     @post = @user.posts.new(post_params)
+    authorize! :create, @post
     if @post.save
       redirect_to user_posts_path(current_user), notice: 'Your Post has been successfully Created'
     else
-      render :new, notice: error
+      render :new, notice: 'Error in creating a post'
     end
   end
 
   def show; end
 
+  def destroy
+    @post = Post.find(params[:id])
+    authorize! :destroy, @post
+    return unless @post.destroy
+
+    redirect_to user_path(current_user), notice: 'Post has been deleted successfully'
+  end
+
   private
 
   def post_params

app/models/ability.rb

@@ -0,0 +1,40 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    # @user = current_user || User.new
+
+    if user.admin?
+      can :manage, :all
+    else
+      can :read, :all
+      can %i[create destroy], Post, author_id: user.id
+      can %i[create destroy], Comment, user_id: user.id
+      can :create, Like
+    end
+    # Define abilities for the user here. For example:
+    #
+    #   return unless user.present?
+    #   can :read, :all
+    #   return unless user.admin?
+    #   can :manage, :all
+    #
+    # The first argument to `can` is the action you are giving the user
+    # permission to do.
+    # If you pass :manage it will apply to every action. Other common actions
+    # here are :read, :create, :update and :destroy.
+    #
+    # The second argument is the resource the user can perform the action on.
+    # If you pass :all it will apply to every resource. Otherwise pass a Ruby
+    # class of the resource.
+    #
+    # The third argument is an optional hash of conditions to further filter the
+    # objects.
+    # For example, here the user can only update published articles.
+    #
+    #   can :update, Article, published: true
+    #
+    # See the wiki for details:
+    # https://github.com/CanCanCommunity/cancancan/blob/develop/docs/define_check_abilities.md
+  end
+end

app/models/user.rb

@@ -1,4 +1,6 @@
 class User < ApplicationRecord
+  enum role: %i[user admin], _default: :user
+  before_create :set_default_role
   # Include default devise modules. Others available are:
   # :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
@@ -13,4 +15,11 @@ class User < ApplicationRecord
   def recent_posts(limit: 3)
     posts.order(created_at: :asc).limit(limit)
   end
+
+  private
+
+  def set_default_role
+    self.role = :admin if email.downcase == 'admin@gmail.com'
+    self.role ||= :user
+  end
 end

app/views/comments/new.html.erb

@@ -0,0 +1,5 @@
+<div class="col-lg-12 mb-5">
+    <%= render 'shared/show_post', post: @post, user: @user, like: @like %>
+    <%= render 'shared/full_comment', post: @post %>
+    <%= render 'shared/comment_form', comment: @comment %>
+</div>

app/views/posts/index.html.erb

@@ -1,12 +1,19 @@
 <div class="col-lg-12 mb-5">
    <%= render 'shared/show_user', user: @user %>
     <div class="mb-2 mt-2">
-    <%= link_to "Create New Post", new_user_post_path(current_user.id), class: 'btn btn-primary' %>
+        <% if can? :create, @post%>
+        <%= link_to "Create New Post", new_user_post_path(current_user.id), class: 'btn btn-primary' %>
+        <% end %>
+        <!-- <% if current_user == @user && can?(:create, Post) %>
+        <%= link_to "Create New Post(User)", new_user_post_path(current_user.id), class: 'btn btn-primary' %>
+        <% elsif current_user.admin? %>
+        <%= link_to "Create New Post(Admin)", new_user_post_path(current_user.id), class: 'btn btn-primary' %>
+        <% end %> -->
     </div>
    <% @user.posts.includes(:comments).order(created_at: :asc).each do |post| %>
         <%= render 'shared/post', post: post %>
         <%= render 'shared/comment', post: post %>
-        <%= link_to 'Add Comment', user_post_path(@user, post.id) ,class: " mt-1 col-lg-2 btn btn-primary btn-outline-warning border-primary" %>
+        <%= link_to 'Add Comment', new_user_post_comment_path(user_id: current_user.id, post_id: post.id) ,class: " mt-1 col-lg-2 btn btn-primary btn-outline-warning border-primary" %>
     <% end %>
     <div class="text-center mt-2">
         <button class="btn btn-primary">Pagination</button>

app/views/posts/show.html.erb

@@ -1,14 +1,5 @@
 <div class="col-lg-12 mb-5">
-    <div class="card">
-        <div class="card-body">
-            <div class="row">
-                <h3 class="font-weight-bold col-sm-7 mb-0"><%= @post.title %> By <%= @user.name %></h3>
-                <span class="card-text my-1 text-end col-sm-5">Comments: <%= @post.comments_counter %>, Likes: <%= @post.likes_counter %></span>
-            </div>
-            <p class="card-text mt-5"><%= @post.text %></p>
-            <%= render 'shared/like_form', like: @like, post: @post %>   
-        </div> 
-    </div>
+    <%= render 'shared/show_post'%>
+    <!-- <% Rails.logger.debug "Current User Role: #{@post.id}" %> -->
     <%= render 'shared/full_comment', post: @post %>
-    <%= render 'shared/comment_form', comment: @comment %> 
 </div>

app/views/shared/_comment.html.erb

@@ -4,7 +4,23 @@
         <p class="text-primary">No Comments to Show</p>
         <% else %>
         <% post.recent_comments.includes(:user).each do |comment| %> 
-        <p><strong><%= comment.user.name %>:</strong> <span class="text-primary"><%= comment.text %></span></p>
+        <p>
+            <strong><%= comment.user.name %>:</strong> <span class="text-primary"><%= comment.text %></span>
+            <% if can? :destroy, comment %>
+            <span>
+                <%= link_to 'Delete Comment', user_post_comment_path(current_user.id, post.id, comment), method: :delete, class: "btn btn-danger", data: {confirm: "Are you sure you want to delete this comment?" }  %>
+            </span>
+            <% end %>
+            <!-- <% if current_user == @user && can?(:delete, Comment) %>
+                <span>
+                    <%= link_to 'Delete(User)', user_post_comment_path(current_user.id, post.id, comment), method: :delete, class: "btn btn-danger", data: {confirm: "Are you sure you want to delete this comment?" }  %>
+                </span>
+            <% elsif current_user.admin? %>
+                <span>
+                    <%= link_to 'Delete(Admin)', user_posts_path(@user), method: :delete, class: "btn btn-danger", data: {confirm: "Are you sure you want to delete this comment?"}  %>
+                </span>
+            <% end %> -->
+        </p>
         <% end %>
         <% end %>
     </div>

app/views/shared/_comment_form.html.erb

@@ -1,4 +1,4 @@
-<%= form_with model: @comment, url: user_post_comments_path(current_user.id, @post) do |form| %>
+<%= form_with model: @comment, url: user_post_comments_path(user_id:current_user.id, post_id: @post) do |form| %>
   <div class="form-group">
     <%= form.text_field :text, class: "form-control form-control-lg col-lg-9", placeholder: "Add a comment..." %>
     <%= form.submit 'Add Comment', class: "mt-1 col-lg-3 btn btn-primary" %>

app/views/shared/_post.html.erb

@@ -1,6 +1,15 @@
 <div class="card mt-2">
     <div class="card-body">
         <h5><%= link_to "#{post.title}", user_post_path(@user, post.id), class: 'user-link' %></h5>
+        <!-- <% if can? :destroy, post %>
+          <%= link_to 'Delete Post', user_post_path(current_user.id, post.id), method: :delete, class: "btn btn-danger", confirm: "Are you sure you want to delete this post?"  %>
+        <% end %> -->
+        <!-- <% if current_user == @user && can?(:delete, Post) %>
+        <%= link_to 'Delete(User)', user_post_path(current_user.id, post.id), method: :delete, class: "btn btn-danger", confirm: "Are you sure you want to delete this post?"  %>
+        <% elsif current_user.admin? %>
+        <%= link_to 'Delete(Admin)', user_posts_path(@user), method: :delete, class: "btn btn-danger", confirm: "Are you sure you want to delete this post?"  %>
+        <% end %> -->
+
         <p class="card-text"><%= post.text.slice(0,150).concat('...') %></p>
         <%= render 'shared/like_form', like: @like, post: post %>
         <p class="card-text text-end">Comments: <%= post.comments_counter %>, Likes: <%= post.likes_counter %></p>

app/views/shared/_show_post.erb

@@ -0,0 +1,18 @@
+<div class="card">
+    <div class="card-body">
+        <div class="row">
+            <h3 class="font-weight-bold col-lg-10 mb-0"><%= @post.title %> By <%= @post.author.name %></h3>
+            <% if can? :destroy, @post %>
+            <span class="text-end col-lg-2">
+                <%= link_to 'Delete Post', user_post_path(current_user.id, @post.id), method: :delete, class: "btn btn-danger", confirm: "Are you sure you want to delete this post?"  %>
+            </span>
+            <% end %>
+        </div>
+        <div class= "row">
+            <span class="card-text my-1 text-end col-lg-12">Comments: <%= @post.comments_counter %>, Likes: <%= @post.likes_counter %></span>
+        </div>
+
+        <p class="card-text mt-5"><%= @post.text %></p>
+        <%= render 'shared/like_form', like: @like, post: @post %>   
+    </div> 
+</div>

app/views/users/show.html.erb

@@ -1,7 +1,14 @@
 <div class="col-lg-12">
     <%= render 'shared/show_user', user: @user %>
     <div class="mb-2 mt-2">
+        <% if can? :create, @post%>
         <%= link_to "Create New Post", new_user_post_path(current_user.id), class: 'btn btn-primary' %>
+        <% end %>
+            <!-- <% if current_user == @user && can?(:create, Post) %>
+                <%= link_to "Create New Post(User)", new_user_post_path(current_user.id), class: 'btn btn-primary' %>
+            <% elsif current_user.admin? %>
+              <%= link_to "Create New Post(Admin)", new_user_post_path(current_user.id), class: 'btn btn-primary' %>
+            <% end %> -->
     </div>
     <div class="card mb-3">
         <h5 class="card-header">Bio</h5>

db/migrate/20231214164921_add_role_to_users.rb

@@ -0,0 +1,5 @@
+class AddRoleToUsers < ActiveRecord::Migration[7.0]
+  def change
+    add_column :users, :role, :integer
+  end
+end