activities_controller.rb in federails-0.3.0

- old
+ new

@@ -1,15 +1,17 @@
 require 'fediverse/inbox'
 
 module Federails
   module Server
-    class ActivitiesController < ServerController
+    class ActivitiesController < Federails::ServerController
       before_action :set_activity, only: [:show]
 
       # GET /federation/activities
       # GET /federation/actors/1/outbox.json
       def outbox
+        authorize Federails::Activity, policy_class: Federails::Server::ActivityPolicy
+
         @actor            = Actor.find_param(params[:actor_id])
         @activities       = policy_scope(Federails::Activity, policy_scope_class: Federails::Server::ActivityPolicy::Scope).where(actor: @actor).order(created_at: :desc)
         @total_activities = @activities.count
         @activities       = @activities.page(params[:page])
       end
@@ -17,10 +19,12 @@
       # GET /federation/actors/1/activities/1.json
       def show; end
 
       # POST /federation/actors/1/inbox
       def create
+        skip_authorization
+
         payload = payload_from_params
         return head :unprocessable_entity unless payload
 
         if Fediverse::Inbox.dispatch_request(payload)
           head :created
@@ -32,9 +36,10 @@
       private
 
       # Use callbacks to share common setup or constraints between actions.
       def set_activity
         @activity = Actor.find_param(params[:actor_id]).activities.find_param(params[:id])
+        authorize @activity, policy_class: Federails::Server::ActivityPolicy
       end
 
       # Only allow a list of trusted parameters through.
       def activity_params
         params.fetch(:activity, {})