From 073fb42852b79463d57945ef7d07b4d8daaadeeb Mon Sep 17 00:00:00 2001
From: Brian Waddell <139478254+Brian-Waddell@users.noreply.github.com>
Date: Thu, 26 Oct 2023 20:25:24 +0000
Subject: [PATCH 1/3] patching security holes routes

---
 app/controllers/photos_controller.rb | 13 +++++++++++++
 config/routes.rb                     |  8 ++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 78e53163..3feef330 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -1,5 +1,12 @@
 class PhotosController < ApplicationController
   before_action :set_photo, only: %i[ show edit update destroy ]
+  before_action :ensure_current_user_is_owner, only: [:destroy, :update, :edit]
+
+  def ensure_current_user_is_owner
+    if current_user != @photo.owner
+      redirect_back fallback_location: root_url, alert: "You're not authorized for that."
+    end
+  end
 
   # GET /photos or /photos.json
   def index
@@ -50,13 +57,19 @@ def update
 
   # DELETE /photos/1 or /photos/1.json
   def destroy
+    #if current_user == @photo.owner
     @photo.destroy
     respond_to do |format|
       format.html { redirect_back fallback_location: root_url, notice: "Photo was successfully destroyed." }
       format.json { head :no_content }
     end
+  else 
+   # redirect_back(fallback_location: root_url, notice: "Sorry, only the photo owner can delete the photo")
+  #end 
   end
 
+  
+
   private
     # Use callbacks to share common setup or constraints between actions.
     def set_photo
diff --git a/config/routes.rb b/config/routes.rb
index 47050a54..53545094 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -4,9 +4,9 @@
   devise_for :users
   
   resources :comments
-  resources :follow_requests
-  resources :likes
-  resources :photos
+  resources :follow_requests, except: [:index, :show, :new, :edit]
+  resources :likes, only: [:create, :destroy]
+  resources :photos, except: [:index]
 
   get ":username" => "users#show", as: :user
   get ":username/liked" => "users#liked", as: :liked
@@ -14,4 +14,4 @@
   get ":username/discover" => "users#discover", as: :discover
   get ":username/followers" => "users#followers", as: :followers
   get ":username/following" => "users#following", as: :following
-end
\ No newline at end of file
+end

From a676a7de0bbb35511b08bef268d3fb7024fb9cf2 Mon Sep 17 00:00:00 2001
From: Brian Waddell <139478254+Brian-Waddell@users.noreply.github.com>
Date: Thu, 26 Oct 2023 21:29:10 +0000
Subject: [PATCH 2/3] Only users can comment on a photo/ protecting comments

---
 app/controllers/comments_controller.rb | 9 +++++++++
 app/controllers/likes_controller.rb    | 6 ++++++
 app/models/comment.rb                  | 1 +
 app/models/like.rb                     | 1 +
 app/views/comments/_comment.html.erb   | 3 +++
 app/views/photos/_photo.html.erb       | 4 +++-
 app/views/users/show.html.erb          | 2 ++
 7 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 046a8e5d..f8347e02 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,6 +1,15 @@
 class CommentsController < ApplicationController
   before_action :set_comment, only: %i[ show edit update destroy ]
 
+  before_action :authorized_user, only: [:destroy, :create ]
+
+  def authorized_user
+    @photo = photo.find(params.fetch(:comment).fetch(:photo_id))
+
+    if @photo.owner == @user || !@photo.owner.private? || current_user.leaders.include?(@photo.owner)
+   redirect_back(fallback_location: root_url, "Not Authorized User")
+  end 
+
   # GET /comments or /comments.json
   def index
     @comments = Comment.all
diff --git a/app/controllers/likes_controller.rb b/app/controllers/likes_controller.rb
index 2391ddd7..0957485c 100644
--- a/app/controllers/likes_controller.rb
+++ b/app/controllers/likes_controller.rb
@@ -1,5 +1,11 @@
 class LikesController < ApplicationController
   before_action :set_like, only: %i[ show edit update destroy ]
+  # before_action :authorized_user, only: [:destroy, :create ]
+
+  # def authorized_user
+  #   if @like.owner == @user || !@like.owner.private? || current_user.leaders.include?(@like.owner)
+  #  redirect_back(fallback_location: root_url, "Not Authorized User")
+  # end 
 
   # GET /likes or /likes.json
   def index
diff --git a/app/models/comment.rb b/app/models/comment.rb
index 14a8eb00..0761b0e8 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -22,6 +22,7 @@
 class Comment < ApplicationRecord
   belongs_to :author, class_name: "User", counter_cache: true
   belongs_to :photo, counter_cache: true
+  has_one :owner, through: :photo
 
   validates :body, presence: true
 end
diff --git a/app/models/like.rb b/app/models/like.rb
index 1b885ab9..6fc67da0 100644
--- a/app/models/like.rb
+++ b/app/models/like.rb
@@ -21,6 +21,7 @@
 class Like < ApplicationRecord
   belongs_to :fan, class_name: "User", counter_cache: true
   belongs_to :photo, counter_cache: true
+  has_one :owner, through: :photo
 
   validates :fan_id, uniqueness: { scope: :photo_id, message: "has already liked this photo" }
 end
diff --git a/app/views/comments/_comment.html.erb b/app/views/comments/_comment.html.erb
index a7ee4c56..e0d0ed99 100644
--- a/app/views/comments/_comment.html.erb
+++ b/app/views/comments/_comment.html.erb
@@ -10,6 +10,8 @@
       <p><%= comment.body %></p>
     </div>
     <div>
+    
+
       <%= link_to edit_comment_path(comment), class: "btn btn-link btn-sm text-muted" do %>
         <i class="fas fa-edit fa-fw"></i>
       <% end %>
@@ -17,6 +19,7 @@
       <%= link_to comment, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %>
         <i class="fas fa-trash fa-fw"></i>
       <% end %>
+     
     </div>
   </div>
 </li>
diff --git a/app/views/photos/_photo.html.erb b/app/views/photos/_photo.html.erb
index f0de50b8..d1733641 100644
--- a/app/views/photos/_photo.html.erb
+++ b/app/views/photos/_photo.html.erb
@@ -7,13 +7,15 @@
     </h2>
 
     <div>
+    <% if current_user == photo.owner %> 
       <%= link_to edit_photo_path(photo), class: "btn btn-link btn-sm text-muted" do %>
         <i class="fas fa-edit fa-fw"></i>
       <% end %>
-
+   
       <%= link_to photo, data: { turbo_method: :delete }, class: "btn btn-link btn-sm text-muted" do %>
         <i class="fas fa-trash fa-fw"></i>
       <% end %>
+      <% end %> 
     </div>
   </div>
 
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
index 5656d7d5..83ec84a6 100644
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@@ -4,6 +4,7 @@
   </div>
 </div>
 
+<% if current_user == @user || !@user.private? || current_user.leaders.include?(@user) %>
 <div class="row mb-2">
   <div class="col-md-6 offset-md-3">
     <%= render "users/profile_nav", user: @user %>
@@ -17,3 +18,4 @@
     </div>
   </div>
 <% end %>
+<% end %> 

From a46d5c33ff668ca9158f87f4316c62cc4d0809a6 Mon Sep 17 00:00:00 2001
From: Brian Waddell <139478254+Brian-Waddell@users.noreply.github.com>
Date: Fri, 27 Oct 2023 18:51:33 +0000
Subject: [PATCH 3/3] changes

---
 app/controllers/comments_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index f8347e02..bab5c90e 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -77,3 +77,4 @@ def comment_params
       params.require(:comment).permit(:author_id, :photo_id, :body)
     end
 end
+#comment