Fix #4853: Users should not be able to search by disapprover

2021-08-31 21:09:14 -05:00
parent 38c9559fe8
commit 374298a743
2 changed files with 36 additions and 2 deletions
--- a/app/models/post_disapproval.rb
+++ b/app/models/post_disapproval.rb
@@ -20,13 +20,33 @@ class PostDisapproval < ApplicationRecord

  concerning :SearchMethods do
    class_methods do
+      def creator_matches(creator, searcher)
+        return none if creator.nil?
+
+        policy = Pundit.policy!(searcher, PostDisapproval.new(user: creator))
+
+        if policy.can_view_creator?
+          where(user: creator)
+        else
+          none
+        end
+      end
+
      def search(params)
-        q = search_attributes(params, :id, :created_at, :updated_at, :message, :reason, :user, :post)
+        q = search_attributes(params, :id, :created_at, :updated_at, :message, :reason, :post)
        q = q.text_attribute_matches(:message, params[:message_matches])

        q = q.with_message if params[:has_message].to_s.truthy?
        q = q.without_message if params[:has_message].to_s.falsy?

+        if params[:user_id].present?
+          user = User.find(params[:user_id])
+          q = q.creator_matches(user, CurrentUser.user)
+        elsif params[:user_name].present?
+          user = User.find_by_name(params[:user_name])
+          q = q.creator_matches(user, CurrentUser.user)
+        end
+
        case params[:order]
        when "post_id", "post_id_desc"
          q = q.order(post_id: :desc, id: :desc)
--- a/test/functional/post_disapprovals_controller_test.rb
+++ b/test/functional/post_disapprovals_controller_test.rb
@@ -56,7 +56,7 @@ class PostDisapprovalsControllerTest < ActionDispatch::IntegrationTest
      context "using includes" do
        should respond_to_search(post_tags_match: "touhou").with { @post_disapproval }
        should respond_to_search(post: {uploader_name: "marisa"}).with { @post_disapproval }
-        should respond_to_search(user_name: "eiki").with { @user_disapproval }
+        should respond_to_search(user_name: "eiki").with { [] }
      end

      should "allow mods to see disapprover names" do
@@ -70,6 +70,20 @@ class PostDisapprovalsControllerTest < ActionDispatch::IntegrationTest
        assert_response :success
        assert_select "tr#post-disapproval-#{@post_disapproval.id} .created-column a.user-post-approver", false
      end
+
+      context "when a non-mod searches by disapprover name" do
+        should respond_to_search(user_name: "eiki").with { [] }
+      end
+
+      context "when a mod searches by disapprover name" do
+        setup { CurrentUser.user = create(:mod_user) }
+        should respond_to_search(user_name: "eiki").with { @user_disapproval }
+      end
+
+      context "when a disapprover searches by their own name" do
+        setup { CurrentUser.user = @approver }
+        should respond_to_search(user_name: "eiki").with { @user_disapproval }
+      end
    end
  end
 end