#2: Implemented track moderation.

app/Commands/EditTrackCommand.php

@@ -20,6 +20,7 @@
 
 namespace Poniverse\Ponyfm\Commands;
 
+use Gate;
 use Poniverse\Ponyfm\Models\Album;
 use Poniverse\Ponyfm\Models\Image;
 use Poniverse\Ponyfm\Models\Track;
@@ -46,9 +47,7 @@ class EditTrackCommand extends CommandBase
      */
     public function authorize()
     {
-        $user = \Auth::user();
+        return $this->_track && Gate::allows('edit', $this->_track);
-
-        return $this->_track && $user != null && $this->_track->user_id == $user->id;
     }
 
     /**

app/Http/Controllers/Api/Web/AlbumsController.php

@@ -30,6 +30,7 @@ use Poniverse\Ponyfm\Models\Image;
 use Poniverse\Ponyfm\Models\ResourceLogItem;
 use Auth;
 use Input;
+use Poniverse\Ponyfm\Models\User;
 use Response;
 use Poniverse\Ponyfm\Models\Track;
 
@@ -140,9 +141,12 @@ class AlbumsController extends ApiControllerBase
             200);
     }
 
-    public function getOwned()
+    public function getOwned($id)
     {
-        $query = Album::summary()->where('user_id', \Auth::user()->id)->orderBy('created_at', 'desc')->get();
+        $user = User::findOrFail($id);
+        $this->authorize('get-albums', $user);
+
+        $query = Album::summary()->where('user_id', $id)->orderBy('created_at', 'desc')->get();
         $albums = [];
         foreach ($query as $album) {
             $albums[] = [

app/Http/Controllers/Api/Web/TracksController.php

@@ -183,9 +183,7 @@ class TracksController extends ApiControllerBase
             return $this->notFound('Track ' . $id . ' not found!');
         }
 
-        if ($track->user_id != Auth::user()->id) {
+        $this->authorize('edit', $track);
-            return $this->notAuthorized();
-        }
 
         return Response::json(Track::mapPrivateTrackShow($track), 200);
     }

app/Http/routes.php

@@ -137,7 +137,8 @@ Route::group(['prefix' => 'api/web'], function() {
         Route::get('/tracks/owned', 'Api\Web\TracksController@getOwned');
         Route::get('/tracks/edit/{id}', 'Api\Web\TracksController@getEdit');
 
-        Route::get('/albums/owned', 'Api\Web\AlbumsController@getOwned');
+        Route::get('/users/{id}/albums', 'Api\Web\AlbumsController@getOwned')->where('id', '\d+');
+//        Route::get('/albums/owned', 'Api\Web\AlbumsController@getOwned');
         Route::get('/albums/edit/{id}', 'Api\Web\AlbumsController@getEdit');
 
         Route::get('/playlists/owned', 'Api\Web\PlaylistsController@getOwned');

app/Models/Track.php

@@ -24,6 +24,7 @@ use Auth;
 use Cache;
 use Config;
 use DB;
+use Gate;
 use Poniverse\Ponyfm\Contracts\Searchable;
 use Poniverse\Ponyfm\Exceptions\TrackFileNotFoundException;
 use Poniverse\Ponyfm\Traits\IndexedInElasticsearchTrait;
@@ -423,8 +424,8 @@ class Track extends Model implements Searchable
             ],
             'user_data' => $userData,
             'permissions' => [
-                'delete' => Auth::check() && Auth::user()->id == $track->user_id,
+                'delete' => Gate::allows('delete', $track),
-                'edit' => Auth::check() && Auth::user()->id == $track->user_id
+                'edit' => Gate::allows('edit', $track)
             ]
         ];
     }

app/Policies/AlbumPolicy.php

@@ -0,0 +1,35 @@
+<?php
+
+/**
+ * Pony.fm - A community for pony fan music.
+ * Copyright (C) 2016 Peter Deltchev
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace Poniverse\Ponyfm\Policies;
+
+use Poniverse\Ponyfm\Models\Album;
+use Poniverse\Ponyfm\Models\User;
+
+class AlbumPolicy
+{
+    public function edit(User $user, Album $album) {
+        return $user->id === $album->user_id || $user->hasRole('admin');
+    }
+
+    public function delete(User $user, Album $album) {
+        return $user->id === $album->user_id || $user->hasRole('admin');
+    }
+}

app/Policies/UserPolicy.php

@@ -0,0 +1,30 @@
+<?php
+
+/**
+ * Pony.fm - A community for pony fan music.
+ * Copyright (C) 2016 Peter Deltchev
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace Poniverse\Ponyfm\Policies;
+
+use Poniverse\Ponyfm\Models\User;
+
+class UserPolicy
+{
+    public function getAlbums(User $userToAuthorize, User $user) {
+        return $userToAuthorize->id === $user->id || $userToAuthorize->hasRole('admin');
+    }
+}

app/Providers/AuthServiceProvider.php

@@ -22,11 +22,14 @@ namespace Poniverse\Ponyfm\Providers;
 
 use Illuminate\Contracts\Auth\Access\Gate as GateContract;
 use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
+use Poniverse\Ponyfm\Models\Album;
 use Poniverse\Ponyfm\Models\Genre;
+use Poniverse\Ponyfm\Policies\AlbumPolicy;
 use Poniverse\Ponyfm\Policies\GenrePolicy;
 use Poniverse\Ponyfm\Policies\TrackPolicy;
 use Poniverse\Ponyfm\Models\Track;
 use Poniverse\Ponyfm\Models\User;
+use Poniverse\Ponyfm\Policies\UserPolicy;
 
 class AuthServiceProvider extends ServiceProvider
 {
@@ -38,6 +41,8 @@ class AuthServiceProvider extends ServiceProvider
     protected $policies = [
         Genre::class => GenrePolicy::class,
         Track::class => TrackPolicy::class,
+        Album::class => AlbumPolicy::class,
+        User::class => UserPolicy::class,
     ];
 
     /**

public/templates/directives/track-editor.html

@@ -71,7 +71,7 @@
                 <a pfm-popup="song-selector" pfm-popup-close-on-click href="#" class="btn btn-small">Show Songs: <strong>{{selectedSongsTitle}}</strong></a>
                 <div id="song-selector" class="pfm-popup">
                     <ul>
-                        <li ng-repeat="song in ::taxonomies.showSongs track by song.id" ng-class="{selected: selectedSongs[song.id]}">
+                        <li ng-repeat="song in taxonomies.showSongs track by song.id" ng-class="{selected: selectedSongs[song.id]}">
                             <a pfm-eat-click href="#" ng-click="toggleSong(song); $event.stopPropagation();">{{::song.title}}</a>
                         </li>
                     </ul>

resources/assets/scripts/app/directives/track-editor.coffee

@@ -127,17 +127,19 @@ module.exports = angular.module('ponyfm').directive 'pfmTrackEditor', () ->
             # ========================================
             #  The part where everything gets loaded!
             # ========================================
-            $.when(
+            tracks.getEdit($scope.trackId, true)
-                albums.refresh(),
+            .then (track)->
-                taxonomies.refresh(),
+                $.when(
-                tracks.getEdit($scope.trackId, true)
+                    albums.refresh(false, track.user_id),
-            ).done (albums, taxonomies, track)->
+                    taxonomies.refresh()
-                # Update album data
+                ).done (albums, taxonomies)->
-                $scope.albums.length = 0
+                    # Update album data
-                albumsDb = {}
+                    $scope.albums.length = 0
-                for album in albums
+                    albumsDb = {}
-                    albumsDb[album.id] = album
+                    for album in albums
-                    $scope.albums.push album
+                        albumsDb[album.id] = album
+                        $scope.albums.push album
+
 
                 # Update track data
 

resources/assets/scripts/app/services/account-albums.coffee

@@ -18,6 +18,9 @@ module.exports = angular.module('ponyfm').factory('account-albums', [
     '$rootScope', '$http'
     ($rootScope, $http) ->
         def = null
+        # the ID of the user whose albums are currently cached
+        currentlyLoadedUserId = null
+
         albums = []
 
         self =
@@ -31,11 +34,12 @@ module.exports = angular.module('ponyfm').factory('account-albums', [
                 $http.get(url).success (album) -> editDef.resolve album
                 editDef.promise()
 
-            refresh: (force) ->
+            refresh: (force = false, user_id = window.pfm.auth.user.id) ->
-                force = force || false
+                return def if !force && def && user_id == currentlyLoadedUserId
-                return def if !force && def
+
                 def = new $.Deferred()
-                $http.get('/api/web/albums/owned').success (ownedAlbums) ->
+                $http.get("/api/web/users/#{user_id}/albums").success (ownedAlbums) ->
+                    currentlyLoadedUserId = user_id
                     def.resolve(ownedAlbums)
                 def.promise()
 

resources/assets/scripts/app/services/taxonomies.coffee

@@ -27,6 +27,7 @@ module.exports = angular.module('ponyfm').factory('taxonomies', [
             genresWithTracks: []
             showSongs: []
             showSongsWithTracks: []
+
             refresh: () ->
                 return def.promise() if def != null