julianrubisch · November 10, 2021 08:59
diff --git a/10-application-controller.rb b/10-application-controller.rb
 class ApplicationController < ActionController::Base
  include Pundit
 end
diff --git a/10-application-reflex-2.rb b/10-application-reflex-2.rb
 # app/reflexes/application_reflex.rb

 class ApplicationReflex < StimulusReflex::Reflex
  include Pundit

  rescue_from Pundit::NotAuthorizedError do |exception|
    cable_ready
      .inner_html(selector: "#alert", html: exception.message)
      .remove_css_class(name: "hidden")
      .broadcast
  end

  delegate :current_user, to: :connection
 end
diff --git a/10-application-reflex.rb b/10-application-reflex.rb
 class ApplicationReflex < StimulusReflex::Reflex
  include Pundit

  delegate :current_user, to: :connection
 end
diff --git a/10-bundle-add-pundit.sh b/10-bundle-add-pundit.sh
 $ bundle add pundit
 $ bin/rails g pundit:install
diff --git a/10-embed-controller.js b/10-embed-controller.js
 import ApplicationController from "./application_controller";

 export default class extends ApplicationController {
  connect() {
    super.connect();
  }

  destroyHalted() {
    alert("You are not allowed to destroy this embed!");
  }
 }
diff --git a/10-embed-destroy-button.erb b/10-embed-destroy-button.erb
 <!-- app/view/embeds/_embed.html.erb -->

 <%= link_to "#", class: "absolute top-0 right-0 m-2", data: {
  reflex: "click->Embed#destroy",
  reflex_dataset: "ancestors"
 } do %>
  <i class="fas fa-times text-gray-400"></i> 
 <% end %>
diff --git a/10-embed-policy.rb b/10-embed-policy.rb
 # app/policies/embed_policy.rb

 class EmbedPolicy < ApplicationPolicy
  attr_reader :user, :embed

  def initialize(user, embed)
    @user = user
    @embed = embed
  end

  def destroy?
    embed.board.owner == user
  end
 end
diff --git a/10-embed-reflex-abort-meta.rb b/10-embed-reflex-abort-meta.rb
 # app/reflexes/embed_reflex.rb

 class EmbedReflex < ApplicationReflex
  # ...

  before_reflex only: [:destroy, :update] do
    @embed = element.signed[:sgid]

    throw :abort unless policy(@embed).send("#{action_name}?")
  end

  # ...
 end
diff --git a/10-embed-reflex-abort.rb b/10-embed-reflex-abort.rb
 # app/reflexes/embed_reflex.rb

 class EmbedReflex < ApplicationReflex
  # ...

  before_reflex only: :destroy do
    @embed = element.signed[:sgid]

    throw :abort unless policy(@embed).destroy?
  end

  # ...
 end
diff --git a/10-embed-reflex-destroy-action-authorized.rb b/10-embed-reflex-destroy-action-authorized.rb
 # app/reflexes/embed_reflex.rb
 class EmbedReflex < ApplicationReflex
  # ...

  def destroy
    @embed = element.signed[:sgid]

    authorize @embed # <= here
    @embed.destroy
  end
 end
diff --git a/10-embed-reflex-destroy-action.rb b/10-embed-reflex-destroy-action.rb
 # app/reflexes/embed_reflex.rb
 class EmbedReflex < ApplicationReflex
  # ...

  def destroy
    @embed = element.signed[:sgid]
    @embed.destroy
  end
 end
diff --git a/10-generate-embed-policy.sh b/10-generate-embed-policy.sh
 $ bin/rails g pundit:policy embed
	class ApplicationController < ActionController::Base
	include Pundit
	end
	# app/reflexes/application_reflex.rb

	class ApplicationReflex < StimulusReflex::Reflex
	include Pundit

	rescue_from Pundit::NotAuthorizedError do \|exception\|
	cable_ready
	.inner_html(selector: "#alert", html: exception.message)
	.remove_css_class(name: "hidden")
	.broadcast
	end

	delegate :current_user, to: :connection
	end
	import ApplicationController from "./application_controller";

	export default class extends ApplicationController {
	connect() {
	super.connect();
	}

	destroyHalted() {
	alert("You are not allowed to destroy this embed!");
	}
	}
	<!-- app/view/embeds/_embed.html.erb -->

	<%= link_to "#", class: "absolute top-0 right-0 m-2", data: {
	reflex: "click->Embed#destroy",
	reflex_dataset: "ancestors"
	} do %>
	<i class="fas fa-times text-gray-400"></i>
	<% end %>
	# app/policies/embed_policy.rb

	class EmbedPolicy < ApplicationPolicy
	attr_reader :user, :embed

	def initialize(user, embed)
	@user = user
	@embed = embed
	end

	def destroy?
	embed.board.owner == user
	end
	end
	# app/reflexes/embed_reflex.rb

	class EmbedReflex < ApplicationReflex
	# ...

	before_reflex only: [:destroy, :update] do
	@embed = element.signed[:sgid]

	throw :abort unless policy(@embed).send("#{action_name}?")
	end

	# ...
	end