Challenge 3: Conditional View Links — Solution
=begin
Notes:
- policy(comment) looks up the same CommentPolicy class from Challenge 2,
using comment's class name -- the exact same rules the controller's
authorize call enforces are reused here, not re-implemented separately.
- The Edit link only appears for admins or the comment's own author,
matching update?'s logic exactly; the Delete link appears for a
slightly wider group (also including the post's author), matching
destroy?'s more permissive logic.
- Because both checks call into the same policy class the controller
uses, there's no risk of the view showing a link for an action the
controller would actually reject -- a link only appears if the
corresponding authorize call in the controller would also succeed.
- This directly addresses the chapter's warning about Express's typical
view-level permission checks being separate, potentially inconsistent
logic from whatever the route handler itself checks.
=end
<%= comment.body %>
<% if policy(comment).update? %> <%= link_to "Edit", edit_comment_path(comment) %> <% end %> <% if policy(comment).destroy? %> <%= link_to "Delete", comment_path(comment), method: :delete %> <% end %>