diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 7634984a9..a493bf9a3 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -4,7 +4,7 @@ class SessionsController < ApplicationController end def create - session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember]) + session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember], request.ssl?) if session_creator.authenticate url = params[:url] if params[:url] && params[:url].start_with?("/") diff --git a/app/controllers/tag_alias_corrections_controller.rb b/app/controllers/tag_alias_corrections_controller.rb index 1320fe993..cdfa7d7fa 100644 --- a/app/controllers/tag_alias_corrections_controller.rb +++ b/app/controllers/tag_alias_corrections_controller.rb @@ -1,5 +1,5 @@ class TagAliasCorrectionsController < ApplicationController - before_filter :moderator_only + before_filter :janitor_only def create @correction = TagAliasCorrection.new(params[:tag_alias_id]) diff --git a/app/controllers/tag_aliases_controller.rb b/app/controllers/tag_aliases_controller.rb index 735f41ead..59b69e771 100644 --- a/app/controllers/tag_aliases_controller.rb +++ b/app/controllers/tag_aliases_controller.rb @@ -1,5 +1,5 @@ class TagAliasesController < ApplicationController - before_filter :admin_only, :only => [:approve, :destroy, :new, :create] + before_filter :admin_only, :only => [:approve, :new, :create] respond_to :html, :xml, :json, :js def new @@ -32,10 +32,14 @@ class TagAliasesController < ApplicationController def destroy @tag_alias = TagAlias.find(params[:id]) - @tag_alias.update_column(:status, "deleted") - @tag_alias.clear_all_cache - @tag_alias.destroy - respond_with(@tag_alias, :location => tag_aliases_path) + if @tag_alias.deletable_by?(CurrentUser.user) + @tag_alias.update_column(:status, "deleted") + @tag_alias.clear_all_cache + @tag_alias.destroy + respond_with(@tag_alias, :location => tag_aliases_path) + else + access_denied + end end def approve diff --git a/app/controllers/tag_implications_controller.rb b/app/controllers/tag_implications_controller.rb index 49079634a..f738b1c73 100644 --- a/app/controllers/tag_implications_controller.rb +++ b/app/controllers/tag_implications_controller.rb @@ -1,5 +1,5 @@ class TagImplicationsController < ApplicationController - before_filter :admin_only, :only => [:new, :create, :approve, :destroy] + before_filter :admin_only, :only => [:new, :create, :approve] respond_to :html, :xml, :json, :js def new @@ -24,12 +24,16 @@ class TagImplicationsController < ApplicationController def destroy @tag_implication = TagImplication.find(params[:id]) - @tag_implication.destroy - respond_with(@tag_implication) do |format| - format.html do - flash[:notice] = "Tag implication was deleted" - redirect_to(tag_implications_path) + if @tag_implication.deletable_by?(CurrentUser.user) + @tag_implication.destroy + respond_with(@tag_implication) do |format| + format.html do + flash[:notice] = "Tag implication was deleted" + redirect_to(tag_implications_path) + end end + else + access_denied end end diff --git a/app/logical/post_query_builder.rb b/app/logical/post_query_builder.rb index 9fdeb3bd2..8065305bc 100644 --- a/app/logical/post_query_builder.rb +++ b/app/logical/post_query_builder.rb @@ -276,8 +276,6 @@ class PostQueryBuilder if q[:order] == "rank" relation = relation.where("posts.score > 0 and posts.created_at >= ?", 2.days.ago) - elsif q[:order] == "rank2" - relation = relation.where("posts.fav_count > 0 and posts.created_at >= ?", 2.days.ago) elsif q[:order] == "landscape" || q[:order] == "portrait" relation = relation.where("posts.image_width IS NOT NULL and posts.image_height IS NOT NULL") end @@ -336,9 +334,6 @@ class PostQueryBuilder when "rank" relation = relation.order("log(3, posts.score) + (extract(epoch from posts.created_at) - extract(epoch from timestamp '2005-05-24')) / 45000 DESC") - when "rank2" - relation = relation.order("log(3, posts.fav_count) + (extract(epoch from posts.created_at) - extract(epoch from timestamp '2005-05-24')) / 45000 DESC") - else relation = relation.order("posts.id DESC") end diff --git a/app/logical/session_creator.rb b/app/logical/session_creator.rb index 4230a6037..4ce44e334 100644 --- a/app/logical/session_creator.rb +++ b/app/logical/session_creator.rb @@ -1,12 +1,13 @@ class SessionCreator - attr_reader :session, :cookies, :name, :password, :remember + attr_reader :session, :cookies, :name, :password, :remember, :secure - def initialize(session, cookies, name, password, remember) + def initialize(session, cookies, name, password, remember = false, secure = false) @session = session @cookies = cookies @name = name @password = password @remember = remember + @secure = secure end def authenticate @@ -15,8 +16,15 @@ class SessionCreator user.update_column(:last_logged_in_at, Time.now) if remember.present? - cookies.permanent.signed[:user_name] = user.name - cookies.permanent[:password_hash] = user.bcrypt_cookie_password_hash + cookies.permanent.signed[:user_name] = { + :value => user.name, + :secure => secure + } + cookies.permanent[:password_hash] = { + :value => user.bcrypt_cookie_password_hash, + :secure => secure, + :httponly => true + } end session[:user_id] = user.id diff --git a/app/logical/user_deletion.rb b/app/logical/user_deletion.rb index 45bf1ce10..561484713 100644 --- a/app/logical/user_deletion.rb +++ b/app/logical/user_deletion.rb @@ -3,10 +3,12 @@ class UserDeletion attr_reader :user, :password - def self.remove_favorites_for(user_name, user_id) + def self.remove_favorites_for(user_id) user = User.find(user_id) - Post.raw_tag_match("fav:#{user_id}").find_each do |post| - Favorite.remove(post, user) + Post.without_timeout do + Post.raw_tag_match("fav:#{user_id}").find_each do |post| + Favorite.remove(post, user) + end end end @@ -56,7 +58,7 @@ private end def remove_favorites - UserDeletion.delay(:queue => "default").remove_favorites_for(user.name, user.id) + UserDeletion.delay(:queue => "default").remove_favorites_for(user.id) end def rename diff --git a/app/models/tag_alias.rb b/app/models/tag_alias.rb index d12575927..c4052aceb 100644 --- a/app/models/tag_alias.rb +++ b/app/models/tag_alias.rb @@ -163,4 +163,11 @@ class TagAlias < ActiveRecord::Base end end end + + def deletable_by?(user) + return true if user.is_admin? + return true if is_pending? && user.is_janitor? + return true if is_pending? && user.id == creator_id + return false + end end diff --git a/app/models/tag_implication.rb b/app/models/tag_implication.rb index ad38b8e35..a0910f7c0 100644 --- a/app/models/tag_implication.rb +++ b/app/models/tag_implication.rb @@ -164,4 +164,11 @@ class TagImplication < ActiveRecord::Base clear_parent_cache clear_descendants_cache end + + def deletable_by?(user) + return true if user.is_admin? + return true if is_pending? && user.is_janitor? + return true if is_pending? && user.id == creator_id + return false + end end diff --git a/app/views/artist_versions/_secondary_links.html.erb b/app/views/artist_versions/_secondary_links.html.erb index 617172378..ccd6c1fcd 100644 --- a/app/views/artist_versions/_secondary_links.html.erb +++ b/app/views/artist_versions/_secondary_links.html.erb @@ -1,6 +1,6 @@ <% content_for(:secondary_links) do %> -
  • <%= link_to "Artists", artists_path %>
    • +
  • <%= link_to "Listing", artists_path %>
  • <%= link_to "New", new_artist_path %>
  • <%= link_to "Search", search_artist_versions_path %>
    •  diff --git a/app/views/post_versions/_secondary_links.html.erb b/app/views/post_versions/_secondary_links.html.erb index 57dfff376..3fc65c84a 100644 --- a/app/views/post_versions/_secondary_links.html.erb +++ b/app/views/post_versions/_secondary_links.html.erb @@ -1,6 +1,6 @@ <% content_for(:secondary_links) do %> -
  • <%= link_to "Posts", posts_path %>
    • +
  • <%= link_to "Listing", posts_path %>
  • <%= link_to "Upload", new_upload_path %>
  • <%= link_to "Search", search_post_versions_path %>
  • <%= link_to "Changes", post_versions_path %>
    • diff --git a/app/views/tag_aliases/index.html.erb b/app/views/tag_aliases/index.html.erb index de5050b00..f64c44fc2 100644 --- a/app/views/tag_aliases/index.html.erb +++ b/app/views/tag_aliases/index.html.erb @@ -32,16 +32,16 @@ <%= tag_alias.status %> - <% if CurrentUser.is_admin? %> + <% if tag_alias.deletable_by?(CurrentUser.user) %> <%= link_to "Delete", tag_alias_path(tag_alias), :remote => true, :method => :delete, :confirm => "Are you sure you want to delete this alias?" %> + <% end %> - <% if tag_alias.is_pending? %> - | <%= link_to "Approve", approve_tag_alias_path(tag_alias), :remote => true, :method => :post %> - <% end %> + <% if CurrentUser.is_admin? && tag_alias.is_pending? %> + | <%= link_to "Approve", approve_tag_alias_path(tag_alias), :remote => true, :method => :post %> + <% end %> - <% if CurrentUser.is_moderator? %> - | <%= link_to "Fix", tag_alias_correction_path(:tag_alias_id => tag_alias.id) %> - <% end %> + <% if CurrentUser.is_janitor? %> + | <%= link_to "Fix", tag_alias_correction_path(:tag_alias_id => tag_alias.id) %> <% end %> diff --git a/app/views/tag_implications/index.html.erb b/app/views/tag_implications/index.html.erb index 908227421..68421cfc2 100644 --- a/app/views/tag_implications/index.html.erb +++ b/app/views/tag_implications/index.html.erb @@ -30,11 +30,11 @@ <%= tag_implication.status %> - <% if CurrentUser.is_admin? %> + <% if tag_implication.deletable_by?(CurrentUser.user) %> <%= link_to "Delete", tag_implication_path(tag_implication), :remote => true, :method => :delete, :confirm => "Are you sure you want to delete this implication?" %> - <% if tag_implication.is_pending? %> - | <%= link_to "Approve", approve_tag_implication_path(tag_implication), :remote => true, :method => :post %> - <% end %> + <% end %> + <% if CurrentUser.user.is_admin? && tag_implication.is_pending? %> + | <%= link_to "Approve", approve_tag_implication_path(tag_implication), :remote => true, :method => :post %> <% end %>