Homework6 blog on rails authentication

Gemfile

@@ -34,7 +34,7 @@ gem 'jbuilder'
 # gem "kredis"
 
 # Use Active Model has_secure_password [https://guides.rubyonrails.org/active_model_basics.html#securepassword]
-# gem "bcrypt", "~> 3.1.7"
+gem "bcrypt", "~> 3.1.7"
 
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: %i[mingw mswin x64_mingw jruby]
@@ -48,14 +48,13 @@ gem 'sassc-rails'
 # Use Active Storage variants [https://guides.rubyonrails.org/active_storage_overview.html#transforming-images]
 # gem "image_processing", "~> 1.2"
 
-gem 'bootstrap', '~> 5.1.3'
+gem 'cancancan'
 
 group :development, :test do
   # See https://guides.rubyonrails.org/debugging_rails_applications.html#debugging-with-the-debug-gem
   gem 'debug', platforms: %i[mri mingw x64_mingw]
 
-  gem 'cowsay'
-  gem 'faker'
+  gem 'byebug'
 end
 
 group :development do
@@ -68,5 +67,7 @@ group :development do
   # Speed up commands on slow machines / big apps [https://github.com/rails/spring]
   # gem "spring"
 
-  gem 'byebug'
-end
+  gem 'cowsay'
+  gem 'faker'
+  gem 'pry-rails', '~> 0.3.9'
+end

Gemfile.lock

@@ -66,17 +66,14 @@ GEM
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-    autoprefixer-rails (10.4.2.0)
-      execjs (~> 2)
+    bcrypt (3.1.17)
     bindex (0.8.1)
     bootsnap (1.11.1)
       msgpack (~> 1.2)
-    bootstrap (5.1.3)
-      autoprefixer-rails (>= 9.1.0)
-      popper_js (>= 2.9.3, < 3)
-      sassc-rails (>= 2.0.0)
     builder (3.2.4)
     byebug (11.1.3)
+    cancancan (3.3.0)
+    coderay (1.1.3)
     concurrent-ruby (1.1.10)
     cowsay (0.3.0)
     crass (1.0.6)
@@ -85,7 +82,6 @@ GEM
       reline (>= 0.2.7)
     digest (3.1.0)
     erubi (1.10.0)
-    execjs (2.8.1)
     faker (2.20.0)
       i18n (>= 1.8.11, < 2)
     ffi (1.15.5)
@@ -132,7 +128,11 @@ GEM
     nokogiri (1.13.3-x86_64-linux)
       racc (~> 1.4)
     pg (1.3.4)
-    popper_js (2.9.3)
+    pry (0.14.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    pry-rails (0.3.9)
+      pry (>= 0.10.4)
     puma (5.6.2)
       nio4r (~> 2.0)
     racc (1.6.0)
@@ -208,15 +208,17 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  bcrypt (~> 3.1.7)
   bootsnap
-  bootstrap (~> 5.1.3)
   byebug
+  cancancan
   cowsay
   debug
   faker
   importmap-rails
   jbuilder
   pg (~> 1.1)
+  pry-rails (~> 0.3.9)
   puma (~> 5.0)
   rails (~> 7.0.2, >= 7.0.2.3)
   sassc-rails

app/assets/stylesheets/user.css

@@ -0,0 +1,51 @@
+/* SignUp/SignIn/User form views */
+.user-form,
+.change-password-link,
+.signup-form,
+.signin-form {
+  padding: 15px;
+  margin: 10px 0;
+}
+
+.user-form > .input-group,
+.signup-form > .input-group,
+.signin-form > .input-group {
+  display: flex;
+  flex-direction: column;
+}
+
+.user-form > .input-group > .field_with_errors,
+.signup-form > .input-group > .field_with_errors {
+  display: flex;
+  width: 100%;
+}
+
+.user-form > .input-group > label,
+.signup-form > .input-group > label,
+.signin-form > .input-group > label,
+.user-form > .input-group > .field_with_errors > label,
+.signup-form > .input-group > .field_with_errors > label {
+  margin: 10px 0;
+}
+
+.user-form > .input-group > .field_with_errors > input[type="email"],
+.signup-form > .input-group > .field_with_errors > input[type="email"],
+.signup-form > .input-group > .field_with_errors > input[type="text"] {
+  margin-bottom: 10px;
+  width: 100%;
+}
+
+#user_email,
+#password,
+#new_password_confirmation,
+#user_password_confirmation {
+  margin-bottom: 10px;
+  width: 100%;
+}
+
+.user-form > .input-group > p,
+.signup-form > .input-group > p,
+.signin-form > .input-group > p {
+  margin-bottom: 10px;
+  color: red;
+}

app/controllers/application_controller.rb

@@ -1,2 +1,18 @@
 class ApplicationController < ActionController::Base
+
+  private
+  def authenticated_user!
+    redirect_to new_session_path, {alert: "Please sign in first", status: 303} unless user_signed_in?
+  end
+  helper_method :authenticated_user! 
+
+  def user_signed_in?
+    current_user.present?
+  end
+  helper_method :user_signed_in?
+
+  def current_user
+    @current_user ||= User.find_by_id session[:user_id]
+  end
+  helper_method :current_user
 end

app/controllers/comments_controller.rb

@@ -1,25 +1,37 @@
 class CommentsController < ApplicationController
-    def create
-      @post = Post.find params[:post_id]
-      @comment = Comment.new params.require(:comment).permit(:body)
-      @comment.post = @post
-      if @comment.save
-        redirect_to post_path(@post)
-      else
-        @comments = @post.comments.order(created_at: :desc)
-        render 'posts/show', status: 303
-      end
-    rescue => e
-      redirect_to root_path, alert: e.message
-    end
-
-    def destroy
-      @comment = Comment.find params[:id]
-      @comment.destroy
-      @post = Post.find params[:post_id]
+  before_action :authenticated_user!
+  before_action :find_comment, only: [:destroy]
+  before_action :authorized_user!, only: [:destroy]
+
+  def create
+    @post = Post.find params[:post_id]
+    @comment = Comment.new params.require(:comment).permit(:body)
+    @comment.post = @post
+    @comment.user = current_user
+    if @comment.save
       redirect_to post_path(@post), status: 303
-    rescue => e
-      redirect_to root_path, alert: e.message
+    else
+      @comments = @post.comments.order(created_at: :desc)
+      render 'posts/show', status: 303
     end
+  rescue StandardError => e
+    redirect_to root_path, { alert: e.message, status: 303 }
+  end
+
+  def destroy
+    @comment.destroy
+    redirect_to post_path(@comment.post), status: 303
+  rescue StandardError => e
+    redirect_to root_path, { alert: e.message, status: 303 }
+  end
+
+  private
+
+  def find_comment
+    @comment = Comment.find params[:id]
+  end
+
+  def authorized_user!
+    redirect_to post_path(@comment.post), { status: 303, alert: 'Not authorized' } unless can?(:destroy, @comment)
   end
-  
+end

app/controllers/posts_controller.rb

@@ -1,55 +1,62 @@
-# postsController
 class PostsController < ApplicationController
-    def index
-      @posts = Post.order(created_at: :desc)
-    end
-
-    def show
-      @post = Post.find params[:id]
-      @comment = Comment.new
-      @comments = @post.comments.order(created_at: :desc)
-    rescue StandardError => e
-      redirect_to root_path, alert: e.message
-    end
-
-    def destroy
-      @post = Post.find params[:id]
-      @post.destroy
-      redirect_to posts_path, { notice: 'Post deleted successfully', status: 303 }
-    rescue StandardError => e
-      redirect_to root_path, alert: e.message
-    end
-
-    def new
-      @post = Post.new
-    end
-
-    def create
-      @post = Post.new params.require(:post).permit(:title, :body)
-      if @post.save
-        redirect_to post_path(@post) #{ status: 303, notice: 'Post created successfully' }
-      else
-        render :new, status: 303
-      end
-    end
-
-    def edit
-      @post = Post.find params[:id]
-    rescue StandardError => e
-      redirect_to root_path, alert: e.message
+  before_action :authenticated_user!, except: %i[index show]
+  before_action :find_post, except: %i[index new create]
+  before_action :authorized_user!, only: %i[edit update destroy]
+
+  def index
+    @posts = Post.order(created_at: :desc)
+  end
+
+  def show
+    @comment = Comment.new
+    @comments = @post.comments.order(created_at: :desc)
+  rescue StandardError => e
+    redirect_to root_path, {alert: e.message, status: 303}
+  end
+
+  def destroy
+    @post.destroy
+    redirect_to root_path, { notice: 'Post deleted successfully', status: 303 }
+  rescue StandardError => e
+    redirect_to root_path, {alert: e.message, status: 303}
+  end
+
+  def new
+    @post = Post.new
+  end
+
+  def create
+    @post = Post.new params.require(:post).permit(:title, :body)
+    @post.user = current_user
+    if @post.save
+      redirect_to post_path(@post) # { status: 303, notice: 'Post created successfully' }
+    else
+      render :new, status: 303
     end
-
-    def update
-      @post = Post.find params[:id]
-      puts @post
-      if @post.update params.require(:post).permit(:title, :body)
-        puts @post
-        redirect_to post_path(@post), { status: 303, notice: 'Post updated successfully' }
-      else
-        render :edit, status: 303
-      end
-    rescue StandardError => e
-      redirect_to posts_path, alert: e.message
+  end
+
+  def edit
+  rescue StandardError => e
+    redirect_to root_path, {alert: e.message, status: 303}
+  end
+
+  def update
+    if @post.update params.require(:post).permit(:title, :body)
+      redirect_to post_path(@post), { status: 303, notice: 'Post updated successfully' }
+    else
+      render :edit, status: 303
     end
+  rescue StandardError => e
+    redirect_to root_path, {alert: e.message, status: 303}
+  end
+
+  private
+
+  def find_post
+    @post = Post.find params[:id]
+  end
+
+  def authorized_user!
+    redirect_to post_path(@post), { status: 303, alert: 'Not authorized' } unless can?(:crud, @post)
   end
-  
+end

app/controllers/sessions_controller.rb

@@ -0,0 +1,21 @@
+class SessionsController < ApplicationController
+  def new
+
+  end
+
+  def create
+    @user = User.find_by_email params[:email]
+    if @user&.authenticate params[:password]
+      session[:user_id][email protected]
+      redirect_to root_path, status: 303
+    else
+      flash.alert = "User not found"
+      render :new, status: 303
+    end
+  end
+
+  def destroy
+    session[:user_id] = nil
+    redirect_to root_path, status: 303
+  end
+end