uploads: only let users see their own uploads on /uploads listing.

2020-04-06 14:12:57 -05:00
parent b2ee1f0766
commit 1e0f6f730a
4 changed files with 17 additions and 3 deletions
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -25,7 +25,7 @@ class UploadsController < ApplicationController
  end

  def index
-    @uploads = authorize Upload.paginated_search(params, count_pages: true)
+    @uploads = authorize Upload.visible(CurrentUser.user).paginated_search(params, count_pages: true)
    @uploads = @uploads.includes(:uploader, post: :uploader) if request.format.html?

    respond_with(@uploads)
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -82,6 +82,16 @@ class Upload < ApplicationRecord
    where("created_at < ?", date).lock.destroy_all
  end

+  def self.visible(user)
+    if user.is_admin?
+      all
+    elsif user.is_member?
+      where(uploader: user)
+    else
+      none
+    end
+  end
+
  module FileMethods
    def is_image?
      %w(jpg gif png).include?(file_ext)
--- a/app/policies/upload_policy.rb
+++ b/app/policies/upload_policy.rb
@@ -1,4 +1,8 @@
 class UploadPolicy < ApplicationPolicy
+  def show?
+    user.is_admin? || record.uploader_id == user.id
+  end
+
  def batch?
    unbanned?
  end
--- a/test/functional/uploads_controller_test.rb
+++ b/test/functional/uploads_controller_test.rb
@@ -157,10 +157,10 @@ class UploadsControllerTest < ActionDispatch::IntegrationTest
            server: @upload.server
          }

-          get uploads_path, params: { search: search_params }
+          get_auth uploads_path, @user, params: { search: search_params }
          assert_response :success

-          get uploads_path(format: :json), params: { search: search_params }
+          get_auth uploads_path(format: :json), @user, params: { search: search_params }
          assert_response :success
          assert_equal(@upload.id, response.parsed_body.first["id"])
        end