Refactor event_host build logic to clean up setting something as the event host.

rsmithlal · rsmithlal · commit 2e914ffe730e · 2025-08-20T19:13:08.000-02:30
Ensures that the host record is in scope and accessible to the person before assigning it as a host.
diff --git a/app/controllers/better_together/events_controller.rb b/app/controllers/better_together/events_controller.rb
@@ -8,20 +8,32 @@ class EventsController < FriendlyResourceController
       Rails.application.eager_load!
     end
 
+    before_action :build_event_hosts, only: :new
+
     def index
       @draft_events = @events.draft
       @upcoming_events = @events.upcoming
       @past_events = @events.past
     end
 
-    def new
-      @host_id = params[:host_id]
-      @host_type = params[:host_type]
-      super
-    end
-
     protected
 
+    def build_event_hosts
+      return unless params[:host_id].present? && params[:host_type].present?
+
+      host_klass = params[:host_type].safe_constantize
+      return unless host_klass
+
+      policy_scope = Pundit.policy_scope!(current_user, host_klass)
+      host_record = policy_scope.find_by(id: params[:host_id])
+      return unless host_record
+
+      resource_instance.event_hosts.build(
+        host_id: params[:host_id],
+        host_type: params[:host_type]
+      )
+    end
+
     def resource_class
       ::BetterTogether::Event
     end
diff --git a/app/views/better_together/events/_form.html.erb b/app/views/better_together/events/_form.html.erb
@@ -1,11 +1,11 @@
 <%= form_with(model: event, class: 'form', multipart: true, id: dom_id(event, 'form'), local: true, data: { controller: "better_together--form-validation better_together--tabs" }) do |form| %>
-<% if host_id.present? && host_type.present? %>
-	<%= form.fields_for(:event_hosts, (form.object.event_hosts.build(host_id:, host_type:))) do |event_host_fields| %>
-		<%= event_host_fields.hidden_field :host_id %>
-		<%= event_host_fields.hidden_field :host_type %>
-	<% end %>
-<% end %>
-<%= form.hidden_field :creator_id, value: current_person&.id unless form.object.creator_id %>
+  <%= form.fields_for(:event_hosts) do |event_host_fields| %>
+    <%= event_host_fields.hidden_field :host_id %>
+    <%= event_host_fields.hidden_field :host_type %>
+  <% end %>
+
+  <%= form.hidden_field :creator_id, value: current_person&.id unless form.object.creator_id %>
+
   <% content_for :resource_toolbar do %>
     <div class="btn-toolbar mb-3" role="toolbar" aria-label="<%= t('helpers.toolbar.aria_label') %>">
       <div class="btn-group me-2" role="group">
