web: refactor permission check

1 files changed, 13 insertions, 14 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index fe1f1a9..9cc2785 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -6,7 +6,7 @@ class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception
 
   helper_method :logged_in?, :current_user
-  helper_method :authorized_to_show_user?
+  helper_method :authorized?
 
   def routing_error
     raise ActionController::RoutingError, "No route matches #{params[:unmatched_route]}"
@@ -24,24 +24,23 @@ class ApplicationController < ActionController::Base
       end
   end
 
-  def authorized_to_show_user?(user)
-    !user.protected? ||
-      (logged_in? && current_user.permitted_to_see?(user))
-  end
-
-  def authorize!(object)
+  def authorized?(object)
     case object
     when User
-      unless authorized_to_show_user?(object)
-        raise(Aclog::Exceptions::UserProtected, object)
-      end
+      !object.protected? ||
+        logged_in? &&
+          (object.id == current_user.id ||
+           current_user.account.following?(object))
     when Tweet
-      authorize! object.user
-    when NilClass
-      raise Aclog::Exceptions::NotFound
+      authorized?(object.user)
     else
-      raise ArgumentError, "parameter `object` must be a User or a Tweet"
+      raise ArgumentError, "object must be User or Tweet"
     end
+  end
+
+  def authorize!(object)
+    authorized?(object) ||
+      raise(Aclog::Exceptions::UserProtected, object)
 
     object
   end