Merge pull request #2720 from evazion/fix-member-voting

Prevent anon/banned/member users from voting (fix #2719)

app/controllers/application_controller.rb

@@ -133,9 +133,9 @@ protected
     end
   end
 
-  %w(member banned builder gold platinum janitor moderator admin).each do |level|
+  User::Roles.each do |role|
-    define_method("#{level}_only") do
+    define_method("#{role}_only") do
-      if !CurrentUser.user.is_banned_or_ip_banned? && CurrentUser.user.__send__("is_#{level}?")
+      if !CurrentUser.user.is_banned_or_ip_banned? && CurrentUser.user.__send__("is_#{role}?")
         true
       else
         access_denied()
@@ -174,13 +174,4 @@ protected
       Rails.application.config.session_store :cookie_store, :key => '_danbooru_session', :secure => false
     end
   end
-
-  def post_approvers_only
-    if CurrentUser.can_approve_posts?
-      true
-    else
-      access_denied()
-      false
-    end
-  end
 end

app/controllers/moderator/post/approvals_controller.rb

@@ -1,7 +1,7 @@
 module Moderator
   module Post
     class ApprovalsController < ApplicationController
-      before_filter :post_approvers_only
+      before_filter :approver_only
 
       def create
         cookies.permanent[:moderated] = Time.now.to_i

app/controllers/moderator/post/disapprovals_controller.rb

@@ -1,7 +1,7 @@
 module Moderator
   module Post
     class DisapprovalsController < ApplicationController
-      before_filter :post_approvers_only
+      before_filter :approver_only
 
       def create
         cookies.permanent[:moderated] = Time.now.to_i

app/controllers/moderator/post/posts_controller.rb

@@ -1,7 +1,7 @@
 module Moderator
   module Post
     class PostsController < ApplicationController
-      before_filter :post_approvers_only, :only => [:delete, :undelete, :move_favorites, :ban, :unban, :confirm_delete, :confirm_move_favorites, :confirm_ban]
+      before_filter :approver_only, :only => [:delete, :undelete, :move_favorites, :ban, :unban, :confirm_delete, :confirm_move_favorites, :confirm_ban]
       before_filter :admin_only, :only => [:expunge]
       rescue_from ::PostFlag::Error, ::Post::ApprovalError, :with => :rescue_exception
 

app/controllers/moderator/post/queues_controller.rb

@@ -2,7 +2,7 @@ module Moderator
   module Post
     class QueuesController < ApplicationController
       respond_to :html, :json
-      before_filter :post_approvers_only
+      before_filter :approver_only
 
       def show
         cookies.permanent[:moderated] = Time.now.to_i

app/controllers/post_votes_controller.rb

@@ -14,10 +14,4 @@ class PostVotesController < ApplicationController
   rescue PostVote::Error => x
     @error = x
   end
-
-protected
-
-  def voter_only
-    CurrentUser.is_voter?
-  end
 end

app/models/ban.rb

@@ -38,7 +38,7 @@ class Ban < ActiveRecord::Base
   end
 
   def initialize_banner_id
-    self.banner_id = CurrentUser.id
+    self.banner_id = CurrentUser.id if self.banner_id.blank?
   end
 
   def user_is_inferior

app/models/user.rb

@@ -16,6 +16,16 @@ class User < ActiveRecord::Base
     ADMIN = 50
   end
 
+  # Used for `before_filter :<role>_only`. Must have a corresponding `is_<role>?` method.
+  Roles = Levels.constants.map(&:downcase) + [
+    :anonymous,
+    :banned,
+    :approver,
+    :voter,
+    :super_voter,
+    :verified,
+  ]
+
   BOOLEAN_ATTRIBUTES = %w(
     is_banned
     has_mail
@@ -384,6 +394,10 @@ class User < ActiveRecord::Base
       true
     end
 
+    def is_blocked?
+      is_banned?
+    end
+
     def is_builder?
       level >= Levels::BUILDER
     end
@@ -416,6 +430,10 @@ class User < ActiveRecord::Base
       is_gold? || is_super_voter?
     end
 
+    def is_approver?
+      can_approve_posts?
+    end
+
     def create_mod_action
       if level_changed?
         ModAction.create(:description => %{"#{name}":/users/#{id} level changed #{level_string_was} -> #{level_string}})

test/factories/ban.rb

@@ -1,5 +1,6 @@
 FactoryGirl.define do
   factory(:ban) do |f|
+    banner :factory => :admin_user
     reason {FFaker::Lorem.words.join(" ")}
     duration 60
   end

test/factories/user.rb

@@ -13,7 +13,11 @@ FactoryGirl.define do
 
     factory(:banned_user) do
       is_banned true
-      ban {|x| x.association(:ban)}
+      after(:create) { |user| create(:ban, user: user) }
+    end
+
+    factory(:member_user) do
+      level 20
     end
 
     factory(:gold_user) do

test/functional/post_votes_controller_test.rb

@@ -15,6 +15,34 @@ class PostVotesControllerTest < ActionController::TestCase
     end
 
     context "create action" do
+      should "not allow anonymous users to vote" do
+        p1 = FactoryGirl.create(:post)
+        post :create, {:post_id => p1.id, :score => "up", :format => "js"}
+
+        assert_response 403
+        assert_equal(0, p1.reload.score)
+      end
+
+      should "not allow banned users to vote" do
+        CurrentUser.scoped(FactoryGirl.create(:banned_user)) do
+          p1 = FactoryGirl.create(:post)
+          post :create, {:post_id => p1.id, :score => "up", :format => "js"}, {:user_id => CurrentUser.id}
+
+          assert_response 403
+          assert_equal(0, p1.reload.score)
+        end
+      end
+
+      should "not allow members to vote" do
+        CurrentUser.scoped(FactoryGirl.create(:member_user)) do
+          p1 = FactoryGirl.create(:post)
+          post :create, {:post_id => p1.id, :score => "up", :format => "js"}, {:user_id => CurrentUser.id}
+
+          assert_response 403
+          assert_equal(0, p1.reload.score)
+        end
+      end
+
       should "increment a post's score if the score is positive" do
         post :create, {:post_id => @post.id, :score => "up", :format => "js"}, {:user_id => @user.id}
         assert_response :success