Correctly authorize comment deletion

2016-04-27 17:16:23 +02:00
parent 57b773698b
commit 8ef615ffaa
2 changed files with 3 additions and 10 deletions
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@ -111,9 +111,8 @@ class CommentsController < ApplicationController
  end

  def destroy
-    @comments = Comment.where(file_id: params[:file_id], row: params[:row])
-    authorize!
-    @comments.delete_all
+    @comments = Comment.where(file_id: params[:file_id], row: params[:row], user: current_user)
+    @comments.each { |comment| authorize comment; comment.destroy }
    respond_to do |format|
      #format.html { redirect_to comments_url, notice: 'Comments were successfully destroyed.' }
      format.html { head :no_content, notice: 'Comments were successfully destroyed.' }
--- a/app/policies/comment_policy.rb
+++ b/app/policies/comment_policy.rb
@ -1,13 +1,7 @@
 class CommentPolicy < ApplicationPolicy
  def author?
-    if @record.is_a?(ActiveRecord::Relation)
-      flag = true
-      @record.all {|item| flag = (flag and item.author == @user)}
-      flag
-    else
    @user == @record.author
  end
-  end
  private :author?

  def create?