Properly nest UserExerciseFeedback

Fixes CODEOCEAN-108
2023-11-23 01:08:28 +01:00
parent b43dfa364e
commit e9f099d59f
7 changed files with 41 additions and 40 deletions
--- a/app/controllers/concerns/redirect_behavior.rb
+++ b/app/controllers/concerns/redirect_behavior.rb
@ -61,9 +61,9 @@ module RedirectBehavior
  def redirect_to_user_feedback
    uef = UserExerciseFeedback.find_by(exercise: @submission.exercise, user: current_user)
    url = if uef
-            edit_user_exercise_feedback_path(uef)
+            edit_exercise_user_exercise_feedback_path(uef, exercise_id: @submission.exercise)
          else
-            new_user_exercise_feedback_path(user_exercise_feedback: {exercise_id: @submission.exercise.id})
+            new_exercise_user_exercise_feedback_path(exercise_id: @submission.exercise)
          end

    respond_to do |format|
--- a/app/controllers/user_exercise_feedbacks_controller.rb
+++ b/app/controllers/user_exercise_feedbacks_controller.rb
@ -3,6 +3,7 @@
 class UserExerciseFeedbacksController < ApplicationController
  include CommonBehavior

+  before_action :set_exercise_and_authorize
  before_action :set_user_exercise_feedback, only: %i[edit update destroy]
  before_action :set_presets, only: %i[new edit create update]

@ -23,24 +24,15 @@ class UserExerciseFeedbacksController < ApplicationController
  end

  def new
-    exercise_id = if params[:user_exercise_feedback].nil?
-                    params[:exercise_id]
-                  else
-                    params[:user_exercise_feedback][:exercise_id]
-                  end
-    @exercise = Exercise.find(exercise_id)
    @uef = UserExerciseFeedback.find_or_initialize_by(user: current_user, exercise: @exercise)
    authorize!
  end

-  def edit
-    authorize!
-  end
+  def edit; end

  def create
    Sentry.set_extras(params: uef_params)

-    @exercise = Exercise.find(uef_params[:exercise_id])
    rfc = RequestForComment.unsolved.where(exercise: @exercise, user: current_user).first
    submission = begin
      current_contributor.submissions.where(exercise: @exercise).order(created_at: :desc).first
@ -48,22 +40,20 @@ class UserExerciseFeedbacksController < ApplicationController
      nil
    end

-    if @exercise
-      @uef = UserExerciseFeedback.find_or_initialize_by(user: current_user, exercise: @exercise)
-      @uef.update(uef_params)
-      authorize!
-      if validate_inputs(uef_params)
-        path =
-          if rfc && submission && submission.normalized_score.to_d == BigDecimal('1.0')
-            request_for_comment_path(rfc)
-          else
-            implement_exercise_path(@exercise)
-          end
-        create_and_respond(object: @uef, path: proc { path })
-      else
-        flash.now[:danger] = t('shared.message_failure')
-        redirect_back fallback_location: user_exercise_feedback_path(@uef)
-      end
+    @uef = UserExerciseFeedback.find_or_initialize_by(user: current_user, exercise: @exercise)
+    @uef.assign_attributes(uef_params)
+    authorize!
+    if validate_inputs(uef_params)
+      path =
+        if rfc && submission && submission.normalized_score.to_d == BigDecimal('1.0')
+          request_for_comment_path(rfc)
+        else
+          implement_exercise_path(@exercise)
+        end
+      create_and_respond(object: @uef, path: proc { path })
+    else
+      flash.now[:danger] = t('shared.message_failure')
+      redirect_back fallback_location: exercise_user_exercise_feedback_path(@uef)
    end
  end

@ -75,7 +65,7 @@ class UserExerciseFeedbacksController < ApplicationController
    end
    rfc = RequestForComment.unsolved.where(exercise: @exercise, user: current_user).first
    authorize!
-    if @exercise && validate_inputs(uef_params)
+    if validate_inputs(uef_params)
      path =
        if rfc && submission && submission.normalized_score.to_d == BigDecimal('1.0')
          request_for_comment_path(rfc)
@ -85,7 +75,7 @@ class UserExerciseFeedbacksController < ApplicationController
      update_and_respond(object: @uef, params: uef_params, path:)
    else
      flash.now[:danger] = t('shared.message_failure')
-      redirect_back fallback_location: user_exercise_feedback_path(@uef)
+      redirect_back fallback_location: exercise_user_exercise_feedback_path(@uef)
    end
  end

@ -97,16 +87,19 @@ class UserExerciseFeedbacksController < ApplicationController
  private

  def authorize!
-    authorize(@uef || @uefs)
+    raise Pundit::NotAuthorizedError if @uef.present? && @uef.exercise != @exercise
+
+    authorize(@uef)
  end

-  def to_s
-    name
+  def set_exercise_and_authorize
+    @exercise = Exercise.find(params[:exercise_id])
+    authorize(@exercise, :implement?)
  end

  def set_user_exercise_feedback
    @uef = UserExerciseFeedback.find(params[:id])
-    @exercise = @uef.exercise
+    authorize!
  end

  def set_presets
--- a/app/models/user_exercise_feedback.rb
+++ b/app/models/user_exercise_feedback.rb
@ -22,4 +22,8 @@ class UserExerciseFeedback < ApplicationRecord
      .order(created_at: :desc)
      .first
  end
+
+  def self.parent_resource
+    Exercise
+  end
 end
--- a/app/policies/user_exercise_feedback_policy.rb
+++ b/app/policies/user_exercise_feedback_policy.rb
@ -8,4 +8,9 @@ class UserExerciseFeedbackPolicy < AdminOrAuthorPolicy
  def new?
    everyone
  end
+
+  def show?
+    # We don't have a show action, so no one can show a UserExerciseFeedback directly.
+    no_one
+  end
 end
--- a/app/views/user_exercise_feedbacks/_form.html.slim
+++ b/app/views/user_exercise_feedbacks/_form.html.slim
@ -1,4 +1,4 @@
-= form_for(@uef) do |f|
+= form_for([@exercise, @uef]) do |f|
  div
    h1 id="exercise-headline"
      = t('activerecord.models.user_exercise_feedback.one') + " " + @exercise.title