fix: interaction policy

abourtnik · Jan 20, 2024 · c1241de · c1241de
1 parent 069becb
commit c1241de
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 5 deletions.
diff --git a/app/Http/Controllers/InteractionController.php b/app/Http/Controllers/InteractionController.php
@@ -18,6 +18,8 @@ private function perform (InteractionRequest $request, $status) : JsonResponse {
 
         $likeable = $model::findOrFail($id);
 
+        $this->authorize('interact', $likeable);
+
         $interaction = $likeable->interactions()->whereRelation('user', 'id', Auth::user()->id)->first();
 
         if ($interaction) {

diff --git a/app/Http/Requests/Interaction/InteractionRequest.php b/app/Http/Requests/Interaction/InteractionRequest.php
@@ -5,7 +5,6 @@
 use App\Models\Comment;
 use App\Models\Video;
 use Illuminate\Foundation\Http\FormRequest;
-use Illuminate\Support\Facades\Auth;
 use Illuminate\Validation\Rule;
 
 class InteractionRequest extends FormRequest
@@ -38,10 +37,8 @@ public function rules() : array
             'id' => [
                 'required',
                 'numeric',
-                Rule::exists((new $model())->getTable(), 'id')->where(function ($query) use ($model) {
-                    return (new $model)->scopePublic($query)->orWhere('user_id', Auth::user()->id);
-                })
-            ],
+                'exists:'.$model.',id',
+            ]
         ];
     }
 }
diff --git a/app/Models/Comment.php b/app/Models/Comment.php
@@ -118,6 +118,13 @@ protected function parsedContent(): Attribute
         );
     }
 
+    protected function isActive(): Attribute
+    {
+        return Attribute::make(
+            get: fn () => !$this->is_banned
+        );
+    }
+
     /**
      * -------------------- SCOPES --------------------
      */

diff --git a/app/Policies/CommentPolicy.php b/app/Policies/CommentPolicy.php
@@ -112,6 +112,20 @@ public function report(User $user, Comment $comment): Response|bool
             : Response::denyWithStatus(403, 'You are not authorized to report this comment');
     }
 
+    /**
+     * Determine whether the user can like/dislike the comment.
+     *
+     * @param  User $user
+     * @param  Comment $comment
+     * @return Response|bool
+     */
+    public function interact(User $user, Comment $comment): Response|bool
+    {
+        return $comment->is_active || $comment->user->is($user)
+            ? Response::allow()
+            : Response::denyWithStatus(403, 'You are not authorized to interact with this comment');
+    }
+
     /**
      * Determine whether the user can pin the model.
      *

diff --git a/app/Policies/VideoPolicy.php b/app/Policies/VideoPolicy.php
@@ -202,4 +202,18 @@ public function unpin(User $user, Video $video): Response|bool
             ? Response::allow()
             : Response::denyWithStatus(403);
     }
+
+    /**
+     * Determine whether the user can like/dislike video.
+     *
+     * @param User $user
+     * @param Video $video
+     * @return Response|bool
+     */
+    public function interact(User $user, Video $video): Response|bool
+    {
+        return $video->is_active || $video->user->is($user)
+            ? Response::allow()
+            : Response::denyWithStatus(403, 'You are not authorized to interact with this video');
+    }
 }