Challenge 3: Conditional View Links — Solution

<%= comment.body %>

<% if policy(comment).update? %> <%= link_to "Edit", edit_comment_path(comment) %> <% end %> <% if policy(comment).destroy? %> <%= link_to "Delete", comment_path(comment), method: :delete %> <% end %>
=begin Notes: - policy(comment) looks up the same CommentPolicy class from Challenge 2, using comment's class name -- the exact same rules the controller's authorize call enforces are reused here, not re-implemented separately. - The Edit link only appears for admins or the comment's own author, matching update?'s logic exactly; the Delete link appears for a slightly wider group (also including the post's author), matching destroy?'s more permissive logic. - Because both checks call into the same policy class the controller uses, there's no risk of the view showing a link for an action the controller would actually reject -- a link only appears if the corresponding authorize call in the controller would also succeed. - This directly addresses the chapter's warning about Express's typical view-level permission checks being separate, potentially inconsistent logic from whatever the route handler itself checks. =end