uploads: only let users see their own uploads on /uploads listing.

app/controllers/uploads_controller.rb

@@ -25,7 +25,7 @@ class UploadsController < ApplicationController
   end
 
   def index
-    @uploads = authorize Upload.paginated_search(params, count_pages: true)
+    @uploads = authorize Upload.visible(CurrentUser.user).paginated_search(params, count_pages: true)
     @uploads = @uploads.includes(:uploader, post: :uploader) if request.format.html?
 
     respond_with(@uploads)

app/models/upload.rb

@@ -82,6 +82,16 @@ class Upload < ApplicationRecord
     where("created_at < ?", date).lock.destroy_all
   end
 
+  def self.visible(user)
+    if user.is_admin?
+      all
+    elsif user.is_member?
+      where(uploader: user)
+    else
+      none
+    end
+  end
+
   module FileMethods
     def is_image?
       %w(jpg gif png).include?(file_ext)

app/policies/upload_policy.rb

@@ -1,4 +1,8 @@
 class UploadPolicy < ApplicationPolicy
+  def show?
+    user.is_admin? || record.uploader_id == user.id
+  end
+
   def batch?
     unbanned?
   end

test/functional/uploads_controller_test.rb

@@ -157,10 +157,10 @@ class UploadsControllerTest < ActionDispatch::IntegrationTest
             server: @upload.server
           }
 
-          get uploads_path, params: { search: search_params }
+          get_auth uploads_path, @user, params: { search: search_params }
           assert_response :success
 
-          get uploads_path(format: :json), params: { search: search_params }
+          get_auth uploads_path(format: :json), @user, params: { search: search_params }
           assert_response :success
           assert_equal(@upload.id, response.parsed_body.first["id"])
         end