Add authorization rules #10
Conversation
There was a problem hiding this comment.
Hi @laiifuu @tarikbouari ,
Good job so far!
There are some issues that you still need to work on to go to the next project but you are almost there!
Highlights
✔️ Great commit messages
✔️ PRO PR
✔️ No linter error
Required Changes ♻️
Check the comments under the review.
Optional suggestions
Every comment with the [OPTIONAL] prefix is not crucial enough to stop the approval of this PR. However, I strongly recommend you to take them into account as they can make your code better.
Cheers and Happy coding!👏👏👏
Feel free to leave any questions or comments in the PR thread if something is not 100% clear.
Please, remember to tag me in your question so I can receive the notification.
Please, do not open a new Pull Request for re-reviews. You should use the same Pull Request submitted for the first review, either valid or invalid unless it is requested otherwise.
As described in the Code reviews limits policy you have a limited number of reviews per project (check the exact number in your Dashboard). If you think that the code review was not fair, you can request a second opinion using this form.
app/models/ability.rb
Outdated
|
|
||
| def initialize(user) | ||
| can :read, Post, :all | ||
| can(%i[create destroy], Post, user:) | ||
| can(:destroy, Comment, user:) | ||
| can :manage, :all if user.role == 'admin' | ||
| end | ||
| end |
There was a problem hiding this comment.
- a user can delete all users' posts if they have the role
adminwhen I add role admin to the user I'm unable to delete all the posts so please make sure to fix that
| @@ -31,4 +31,12 @@ def create | |||
|
|
|||
| redirect_to user_posts_path | |||
| end | |||
|
|
|||
There was a problem hiding this comment.
- it would be better if you add
load_and_authorize_resourceto the postsController in order to authorize the resource which is the post as required
| @@ -8,6 +8,8 @@ class User < ApplicationRecord | |||
| has_many :likes, foreign_key: :author_id | |||
| has_many :comments, foreign_key: :author_id | |||
|
|
|||
| ROLES = %i[admin user].freeze | |||
|
|
|||
There was a problem hiding this comment.
- you should also add a method that checks if the user is admin or not like
def admin?
user.role == 'admin'
end
There was a problem hiding this comment.
Hi Team,
Your project is complete! There is nothing else to say other than... it's time to merge it 
Congratulations! 🎉
Cheers and Happy coding!👏👏👏
Feel free to leave any questions or comments in the PR thread if something is not 100% clear.
Please, remember to tag me in your question so I can receive the notification.
As described in the Code reviews limits policy you have a limited number of reviews per project (check the exact number in your Dashboard). If you think that the code review was not fair, you can request a second opinion using this form.
Hi 👋
For this PR we: