From 8ef615ffaa1ce63fe9785eaa8971e3d1104916f0 Mon Sep 17 00:00:00 2001
From: Maximilian Grundke <maximiliangrundke@googlemail.com>
Date: Wed, 27 Apr 2016 17:16:23 +0200
Subject: [PATCH] Correctly authorize comment deletion

---
 app/controllers/comments_controller.rb | 5 ++---
 app/policies/comment_policy.rb         | 8 +-------
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 7e008d07..82e892b8 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -111,9 +111,8 @@ class CommentsController < ApplicationController
   end
 
   def destroy
-    @comments = Comment.where(file_id: params[:file_id], row: params[:row])
-    authorize!
-    @comments.delete_all
+    @comments = Comment.where(file_id: params[:file_id], row: params[:row], user: current_user)
+    @comments.each { |comment| authorize comment; comment.destroy }
     respond_to do |format|
       #format.html { redirect_to comments_url, notice: 'Comments were successfully destroyed.' }
       format.html { head :no_content, notice: 'Comments were successfully destroyed.' }
diff --git a/app/policies/comment_policy.rb b/app/policies/comment_policy.rb
index 84e7a0ed..091ed5e2 100644
--- a/app/policies/comment_policy.rb
+++ b/app/policies/comment_policy.rb
@@ -1,12 +1,6 @@
 class CommentPolicy < ApplicationPolicy
   def author?
-    if @record.is_a?(ActiveRecord::Relation)
-      flag = true
-      @record.all {|item| flag = (flag and item.author == @user)}
-      flag
-    else
-      @user == @record.author
-    end
+    @user == @record.author
   end
   private :author?