Require authorization for RfCs and remove obsolete routes

2020-10-28 13:24:44 +01:00
parent e8d274a4a4
commit 4d5e00fde5
2 changed files with 5 additions and 18 deletions
--- a/app/controllers/request_for_comments_controller.rb
+++ b/app/controllers/request_for_comments_controller.rb
@ -2,7 +2,7 @@ class RequestForCommentsController < ApplicationController
  include SubmissionScoring
  before_action :set_request_for_comment, only: [:show, :edit, :update, :destroy, :mark_as_solved, :set_thank_you_note]

-  skip_after_action :verify_authorized
+  before_action :require_user!

  def authorize!
    authorize(@request_for_comments || @request_for_comment)
@ -26,11 +26,12 @@ class RequestForCommentsController < ApplicationController
  def get_my_comment_requests
    @search = RequestForComment
                  .with_last_activity
-                  .where(user_id: current_user.id)
+                  .where(user_id: current_user&.id)
                  .ransack(params[:q])
    @request_for_comments = @search.result
                                .order('created_at DESC')
                                .paginate(page: params[:page])
+    authorize!
    render 'index'
  end

@ -44,6 +45,7 @@ class RequestForCommentsController < ApplicationController
    @request_for_comments = @search.result
                                .order('last_comment DESC')
                                .paginate(page: params[:page])
+    authorize!
    render 'index'
  end

@ -83,10 +85,6 @@ class RequestForCommentsController < ApplicationController
    authorize!
  end

-  # GET /request_for_comments/1/edit
-  def edit
-  end
-
  # POST /request_for_comments.json
  def create
    # Consider all requests as JSON
@ -111,17 +109,6 @@ class RequestForCommentsController < ApplicationController
    authorize!
  end

-  # DELETE /request_for_comments/1
-  # DELETE /request_for_comments/1.json
-  def destroy
-    @request_for_comment.destroy
-    respond_to do |format|
-      format.html { redirect_to request_for_comments_url, notice: 'Request for comment was successfully destroyed.' }
-      format.json { head :no_content }
-    end
-    authorize!
-  end
-
  private
    # Use callbacks to share common setup or constraints between actions.
  def set_request_for_comment