From 1e0f6f730a4111eb6f28b305a118077218661a1a Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 6 Apr 2020 14:12:57 -0500
Subject: [PATCH] uploads: only let users see their own uploads on /uploads
 listing.

---
 app/controllers/uploads_controller.rb      |  2 +-
 app/models/upload.rb                       | 10 ++++++++++
 app/policies/upload_policy.rb              |  4 ++++
 test/functional/uploads_controller_test.rb |  4 ++--
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index cb802f057..d99d58125 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -25,7 +25,7 @@ class UploadsController < ApplicationController
   end
 
   def index
-    @uploads = authorize Upload.paginated_search(params, count_pages: true)
+    @uploads = authorize Upload.visible(CurrentUser.user).paginated_search(params, count_pages: true)
     @uploads = @uploads.includes(:uploader, post: :uploader) if request.format.html?
 
     respond_with(@uploads)
diff --git a/app/models/upload.rb b/app/models/upload.rb
index f5e812d86..d5df336c4 100644
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -82,6 +82,16 @@ class Upload < ApplicationRecord
     where("created_at < ?", date).lock.destroy_all
   end
 
+  def self.visible(user)
+    if user.is_admin?
+      all
+    elsif user.is_member?
+      where(uploader: user)
+    else
+      none
+    end
+  end
+
   module FileMethods
     def is_image?
       %w(jpg gif png).include?(file_ext)
diff --git a/app/policies/upload_policy.rb b/app/policies/upload_policy.rb
index fa49fb7ad..66b5d5ff1 100644
--- a/app/policies/upload_policy.rb
+++ b/app/policies/upload_policy.rb
@@ -1,4 +1,8 @@
 class UploadPolicy < ApplicationPolicy
+  def show?
+    user.is_admin? || record.uploader_id == user.id
+  end
+
   def batch?
     unbanned?
   end
diff --git a/test/functional/uploads_controller_test.rb b/test/functional/uploads_controller_test.rb
index 430716a28..69ac6dcda 100644
--- a/test/functional/uploads_controller_test.rb
+++ b/test/functional/uploads_controller_test.rb
@@ -157,10 +157,10 @@ class UploadsControllerTest < ActionDispatch::IntegrationTest
             server: @upload.server
           }
 
-          get uploads_path, params: { search: search_params }
+          get_auth uploads_path, @user, params: { search: search_params }
           assert_response :success
 
-          get uploads_path(format: :json), params: { search: search_params }
+          get_auth uploads_path(format: :json), @user, params: { search: search_params }
           assert_response :success
           assert_equal(@upload.id, response.parsed_body.first["id"])
         end