diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 046a8e5d..bab5c90e 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,6 +1,15 @@
class CommentsController < ApplicationController
before_action :set_comment, only: %i[ show edit update destroy ]
+ before_action :authorized_user, only: [:destroy, :create ]
+
+ def authorized_user
+ @photo = photo.find(params.fetch(:comment).fetch(:photo_id))
+
+ if @photo.owner == @user || !@photo.owner.private? || current_user.leaders.include?(@photo.owner)
+ redirect_back(fallback_location: root_url, "Not Authorized User")
+ end
+
# GET /comments or /comments.json
def index
@comments = Comment.all
@@ -68,3 +77,4 @@ def comment_params
params.require(:comment).permit(:author_id, :photo_id, :body)
end
end
+#comment
diff --git a/app/controllers/likes_controller.rb b/app/controllers/likes_controller.rb
index 2391ddd7..0957485c 100644
--- a/app/controllers/likes_controller.rb
+++ b/app/controllers/likes_controller.rb
@@ -1,5 +1,11 @@
class LikesController < ApplicationController
before_action :set_like, only: %i[ show edit update destroy ]
+ # before_action :authorized_user, only: [:destroy, :create ]
+
+ # def authorized_user
+ # if @like.owner == @user || !@like.owner.private? || current_user.leaders.include?(@like.owner)
+ # redirect_back(fallback_location: root_url, "Not Authorized User")
+ # end
# GET /likes or /likes.json
def index
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 78e53163..3feef330 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -1,5 +1,12 @@
class PhotosController < ApplicationController
before_action :set_photo, only: %i[ show edit update destroy ]
+ before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit]
+
+ def ensure_current_user_is_owner
+ if current_user != @photo.owner
+ redirect_back fallback_location: root_url, alert: "You're not authorized for that."
+ end
+ end
# GET /photos or /photos.json
def index
@@ -50,13 +57,19 @@ def update
# DELETE /photos/1 or /photos/1.json
def destroy
+ #if current_user == @photo.owner
@photo.destroy
respond_to do |format|
format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." }
format.json { head :no_content }
end
+ else
+ # redirect_back(fallback_location: root_url, notice: "Sorry, only the photo owner can delete the photo")
+ #end
end
+
+
private
# Use callbacks to share common setup or constraints between actions.
def set_photo
diff --git a/app/models/comment.rb b/app/models/comment.rb
index 14a8eb00..0761b0e8 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -22,6 +22,7 @@
class Comment < ApplicationRecord
belongs_to :author, class_name: "User", counter_cache: true
belongs_to :photo, counter_cache: true
+ has_one :owner, through: :photo
validates :body, presence: true
end
diff --git a/app/models/like.rb b/app/models/like.rb
index 1b885ab9..6fc67da0 100644
--- a/app/models/like.rb
+++ b/app/models/like.rb
@@ -21,6 +21,7 @@
class Like < ApplicationRecord
belongs_to :fan, class_name: "User", counter_cache: true
belongs_to :photo, counter_cache: true
+ has_one :owner, through: :photo
validates :fan_id, uniqueness: { scope: :photo_id, message: "has already liked this photo" }
end
diff --git a/app/views/comments/_comment.html.erb b/app/views/comments/_comment.html.erb
index a7ee4c56..e0d0ed99 100644
--- a/app/views/comments/_comment.html.erb
+++ b/app/views/comments/_comment.html.erb
@@ -10,6 +10,8 @@
<%= comment.body %>
+
+
<%= link_to edit_comment_path(comment), class: "btn btn-link btn-sm text-muted" do %>
<% end %>
@@ -17,6 +19,7 @@
<%= link_to comment, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %>
<% end %>
+
diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb
index f0de50b8..d1733641 100644
--- a/app/views/photos/_photo.html.erb
+++ b/app/views/photos/_photo.html.erb
@@ -7,13 +7,15 @@
+ <% if current_user == photo.owner %>
<%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %>
<% end %>
-
+
<%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %>
<% end %>
+ <% end %>
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
index 5656d7d5..83ec84a6 100644
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@@ -4,6 +4,7 @@
+<% if current_user == @user || !@user.private? || current_user.leaders.include?(@user) %>
<%= render "users/profile_nav", user: @user %>
@@ -17,3 +18,4 @@
<% end %>
+<% end %>
diff --git a/config/routes.rb b/config/routes.rb
index 47050a54..53545094 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -4,9 +4,9 @@
devise_for :users
resources :comments
- resources :follow_requests
- resources :likes
- resources :photos
+ resources :follow_requests, except: [:index, :show, :new, :edit]
+ resources :likes, only: [:create, :destroy]
+ resources :photos, except: [:index]
get ":username" => "users#show", as: :user
get ":username/liked" => "users#liked", as: :liked
@@ -14,4 +14,4 @@
get ":username/discover" => "users#discover", as: :discover
get ":username/followers" => "users#followers", as: :followers
get ":username/following" => "users#following", as: :following
-end
\ No newline at end of file
+end