Merge pull request #3204 from evazion/fix-3203

Fix #3203: Overly restrictive permissions

app/controllers/artists_controller.rb

@@ -1,6 +1,6 @@
 class ArtistsController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :member_only, :except => [:index, :show, :banned]
+  before_filter :member_only, :except => [:index, :show, :show_or_new, :banned]
   before_filter :builder_only, :only => [:destroy]
   before_filter :admin_only, :only => [:ban, :unban]
   before_filter :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete]
@@ -93,7 +93,9 @@ class ArtistsController < ApplicationController
     if @artist
       redirect_to artist_path(@artist)
     else
-      redirect_to new_artist_path(:name => params[:name])
+      @artist = Artist.new(name: params[:name])
+      @post_set = PostSets::Artist.new(@artist)
+      respond_with(@artist)
     end
   end
 

app/controllers/bulk_update_requests_controller.rb

@@ -1,6 +1,6 @@
 class BulkUpdateRequestsController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only
+  before_filter :member_only, :except => [:index, :show]
   before_filter :admin_only, :only => [:approve]
   before_filter :load_bulk_update_request, :except => [:new, :create, :index]
 

app/controllers/dmails_controller.rb

@@ -1,6 +1,6 @@
 class DmailsController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :member_only
+  before_filter :member_only, except: [:index, :show, :destroy, :mark_all_as_read]
 
   def new
     if params[:respond_to_id]

app/controllers/favorites_controller.rb

@@ -1,5 +1,5 @@
 class FavoritesController < ApplicationController
-  before_filter :member_only
+  before_filter :member_only, except: [:index]
   respond_to :html, :xml, :json
   skip_before_filter :api_check
 

app/controllers/forum_posts_controller.rb

@@ -1,6 +1,6 @@
 class ForumPostsController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only, :except => [:index, :show]
+  before_filter :member_only, :except => [:index, :show, :search]
   before_filter :load_post, :only => [:edit, :show, :update, :destroy, :undelete]
   before_filter :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]
   skip_before_filter :api_check

app/controllers/iqdb_queries_controller.rb

@@ -1,6 +1,5 @@
 # todo: move this to iqdbs
 class IqdbQueriesController < ApplicationController
-  before_filter :member_only
   respond_to :html, :json, :xml
 
   def index

app/controllers/maintenance/user/api_keys_controller.rb

@@ -1,7 +1,6 @@
 module Maintenance
   module User
     class ApiKeysController < ApplicationController
-      before_filter :member_only
       before_filter :check_privilege
       before_filter :authenticate!, :except => [:show]
       rescue_from ::SessionLoader::AuthenticationFailure, :with => :authentication_failed

app/controllers/maintenance/user/dmail_filters_controller.rb

@@ -2,7 +2,6 @@ module Maintenance
   module User
     class DmailFiltersController < ApplicationController
       before_filter :ensure_ownership
-      before_filter :member_only
       respond_to :html, :json, :xml
 
       def edit

app/controllers/notes_controller.rb

@@ -1,6 +1,6 @@
 class NotesController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only, :except => [:index, :show]
+  before_filter :member_only, :except => [:index, :show, :search]
 
   def search
   end

app/controllers/reports_controller.rb

@@ -1,5 +1,5 @@
 class ReportsController < ApplicationController
-  before_filter :member_only
+  before_filter :member_only, :except => [:upload_tags]
   before_filter :gold_only, :only => [:similar_users]
   before_filter :moderator_only, :only => [:post_versions, :post_versions_create]
 

app/controllers/saved_searches_controller.rb

@@ -1,5 +1,4 @@
 class SavedSearchesController < ApplicationController
-  before_filter :member_only
   before_filter :check_availability
   respond_to :html, :xml, :json, :js
   

app/controllers/uploads_controller.rb

@@ -1,5 +1,5 @@
 class UploadsController < ApplicationController
-  before_filter :member_only
+  before_filter :member_only, except: [:index, :show]
   respond_to :html, :xml, :json, :js
 
   def new

app/controllers/users_controller.rb

@@ -1,6 +1,5 @@
 class UsersController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :member_only, :only => [:edit, :update]
   skip_before_filter :api_check
 
   def new

app/controllers/wiki_pages_controller.rb

@@ -1,6 +1,6 @@
 class WikiPagesController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only, :except => [:index, :show, :show_or_new]
+  before_filter :member_only, :except => [:index, :search, :show, :show_or_new]
   before_filter :builder_only, :only => [:destroy]
   before_filter :normalize_search_params, :only => [:index]
   
@@ -32,6 +32,9 @@ class WikiPagesController < ApplicationController
     end
   end
 
+  def search
+  end
+
   def show
     if params[:id] =~ /\A\d+\Z/
       @wiki_page = WikiPage.find(params[:id])