favorites: convert user.hide_favorites? to pundit.
This commit is contained in:
evazion
@@ -852,31 +852,30 @@ class PostQueryBuilder
|
|||||||
when "-fav"
|
when "-fav"
|
||||||
favuser = User.find_by_name(g2)
|
favuser = User.find_by_name(g2)
|
||||||
|
|
||||||
if favuser.hide_favorites?
|
if favuser.nil? || !Pundit.policy!([CurrentUser.user, nil], favuser).can_see_favorites?
|
||||||
raise User::PrivilegeError.new
|
raise User::PrivilegeError
|
||||||
end
|
end
|
||||||
|
|
||||||
q[:tags][:exclude] << "fav:#{User.name_to_id(g2)}"
|
q[:tags][:exclude] << "fav:#{favuser.id}"
|
||||||
|
|
||||||
when "fav"
|
when "fav"
|
||||||
favuser = User.find_by_name(g2)
|
favuser = User.find_by_name(g2)
|
||||||
|
|
||||||
if favuser.hide_favorites?
|
if favuser.nil? || !Pundit.policy!([CurrentUser.user, nil], favuser).can_see_favorites?
|
||||||
raise User::PrivilegeError.new
|
raise User::PrivilegeError
|
||||||
end
|
end
|
||||||
|
|
||||||
q[:tags][:related] << "fav:#{User.name_to_id(g2)}"
|
q[:tags][:related] << "fav:#{favuser.id}"
|
||||||
|
|
||||||
when "ordfav"
|
when "ordfav"
|
||||||
user_id = User.name_to_id(g2)
|
favuser = User.find_by_name(g2)
|
||||||
favuser = User.find(user_id)
|
|
||||||
|
|
||||||
if favuser.hide_favorites?
|
if favuser.nil? || !Pundit.policy!([CurrentUser.user, nil], favuser).can_see_favorites?
|
||||||
raise User::PrivilegeError.new
|
raise User::PrivilegeError.new
|
||||||
end
|
end
|
||||||
|
|
||||||
q[:tags][:related] << "fav:#{user_id}"
|
q[:tags][:related] << "fav:#{favuser.id}"
|
||||||
q[:ordfav] = user_id
|
q[:ordfav] = favuser.id
|
||||||
|
|
||||||
when "search"
|
when "search"
|
||||||
q[:saved_searches] ||= []
|
q[:saved_searches] ||= []
|
||||||
|
|||||||
@@ -54,7 +54,7 @@ module RecommenderService
|
|||||||
end
|
end
|
||||||
|
|
||||||
if user.present?
|
if user.present?
|
||||||
raise User::PrivilegeError if user.hide_favorites?
|
raise User::PrivilegeError unless Pundit.policy!([CurrentUser.user, nil], user).can_see_favorites?
|
||||||
max_recommendations = params.fetch(:max_recommendations, user.favorite_count + 500).to_i.clamp(0, 50000)
|
max_recommendations = params.fetch(:max_recommendations, user.favorite_count + 500).to_i.clamp(0, 50000)
|
||||||
recs = RecommenderService.recommend_for_user(user, tags: params[:post_tags_match], limit: max_recommendations)
|
recs = RecommenderService.recommend_for_user(user, tags: params[:post_tags_match], limit: max_recommendations)
|
||||||
elsif post.present?
|
elsif post.present?
|
||||||
|
|||||||
@@ -956,7 +956,9 @@ class Post < ApplicationRecord
|
|||||||
# users who favorited this post, ordered by users who favorited it first
|
# users who favorited this post, ordered by users who favorited it first
|
||||||
def favorited_users
|
def favorited_users
|
||||||
favorited_user_ids = fav_string.scan(/\d+/).map(&:to_i)
|
favorited_user_ids = fav_string.scan(/\d+/).map(&:to_i)
|
||||||
visible_users = User.find(favorited_user_ids).reject(&:hide_favorites?)
|
visible_users = User.find(favorited_user_ids).select do |user|
|
||||||
|
Pundit.policy!([CurrentUser.user, nil], user).can_see_favorites?
|
||||||
|
end
|
||||||
ordered_users = visible_users.index_by(&:id).slice(*favorited_user_ids).values
|
ordered_users = visible_users.index_by(&:id).slice(*favorited_user_ids).values
|
||||||
ordered_users
|
ordered_users
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -673,10 +673,6 @@ class User < ApplicationRecord
|
|||||||
include CountMethods
|
include CountMethods
|
||||||
extend SearchMethods
|
extend SearchMethods
|
||||||
|
|
||||||
def hide_favorites?
|
|
||||||
!CurrentUser.is_admin? && enable_private_favorites? && CurrentUser.user.id != id
|
|
||||||
end
|
|
||||||
|
|
||||||
def initialize_attributes
|
def initialize_attributes
|
||||||
self.enable_post_navigation = true
|
self.enable_post_navigation = true
|
||||||
self.new_post_navigation_layout = true
|
self.new_post_navigation_layout = true
|
||||||
|
|||||||
@@ -23,6 +23,10 @@ class UserPolicy < ApplicationPolicy
|
|||||||
user.is_member?
|
user.is_member?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def can_see_favorites?
|
||||||
|
user.is_admin? || record.id == user.id || !record.enable_private_favorites?
|
||||||
|
end
|
||||||
|
|
||||||
def permitted_attributes_for_create
|
def permitted_attributes_for_create
|
||||||
[:name, :password, :password_confirmation, { email_address_attributes: [:address] }]
|
[:name, :password, :password_confirmation, { email_address_attributes: [:address] }]
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -11,7 +11,7 @@
|
|||||||
</div>
|
</div>
|
||||||
<% end %>
|
<% end %>
|
||||||
|
|
||||||
<% if presenter.has_favorites? && !user.hide_favorites? %>
|
<% if presenter.has_favorites? && policy(user).can_see_favorites? %>
|
||||||
<div class="box user-favorites">
|
<div class="box user-favorites">
|
||||||
<h2>
|
<h2>
|
||||||
<%= link_to "Favorites", posts_path(tags: "ordfav:#{user.name}") %>
|
<%= link_to "Favorites", posts_path(tags: "ordfav:#{user.name}") %>
|
||||||
|
|||||||
@@ -36,6 +36,12 @@ class RecommendedPostsControllerTest < ActionDispatch::IntegrationTest
|
|||||||
assert_select ".recommended-posts"
|
assert_select ".recommended-posts"
|
||||||
assert_select ".recommended-posts #post_#{@post.id}"
|
assert_select ".recommended-posts #post_#{@post.id}"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
should "not show recommendations for users with private favorites to other users" do
|
||||||
|
@other_user = create(:user, enable_private_favorites: true)
|
||||||
|
get_auth recommended_posts_path(search: { user_id: @other_user.id }), @user
|
||||||
|
assert_response 403
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user