From 374298a7430ba5de1e11c2abb4fb5abb519e0f0b Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Tue, 31 Aug 2021 21:09:14 -0500
Subject: [PATCH] Fix #4853: Users should not be able to search by disapprover

---
 app/models/post_disapproval.rb                | 22 ++++++++++++++++++-
 .../post_disapprovals_controller_test.rb      | 16 +++++++++++++-
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/app/models/post_disapproval.rb b/app/models/post_disapproval.rb
index dcc484f42..8c66a3759 100644
--- a/app/models/post_disapproval.rb
+++ b/app/models/post_disapproval.rb
@@ -20,13 +20,33 @@ class PostDisapproval < ApplicationRecord
 
   concerning :SearchMethods do
     class_methods do
+      def creator_matches(creator, searcher)
+        return none if creator.nil?
+
+        policy = Pundit.policy!(searcher, PostDisapproval.new(user: creator))
+
+        if policy.can_view_creator?
+          where(user: creator)
+        else
+          none
+        end
+      end
+
       def search(params)
-        q = search_attributes(params, :id, :created_at, :updated_at, :message, :reason, :user, :post)
+        q = search_attributes(params, :id, :created_at, :updated_at, :message, :reason, :post)
         q = q.text_attribute_matches(:message, params[:message_matches])
 
         q = q.with_message if params[:has_message].to_s.truthy?
         q = q.without_message if params[:has_message].to_s.falsy?
 
+        if params[:user_id].present?
+          user = User.find(params[:user_id])
+          q = q.creator_matches(user, CurrentUser.user)
+        elsif params[:user_name].present?
+          user = User.find_by_name(params[:user_name])
+          q = q.creator_matches(user, CurrentUser.user)
+        end
+
         case params[:order]
         when "post_id", "post_id_desc"
           q = q.order(post_id: :desc, id: :desc)
diff --git a/test/functional/post_disapprovals_controller_test.rb b/test/functional/post_disapprovals_controller_test.rb
index 513b16c67..ec5f05841 100644
--- a/test/functional/post_disapprovals_controller_test.rb
+++ b/test/functional/post_disapprovals_controller_test.rb
@@ -56,7 +56,7 @@ class PostDisapprovalsControllerTest < ActionDispatch::IntegrationTest
       context "using includes" do
         should respond_to_search(post_tags_match: "touhou").with { @post_disapproval }
         should respond_to_search(post: {uploader_name: "marisa"}).with { @post_disapproval }
-        should respond_to_search(user_name: "eiki").with { @user_disapproval }
+        should respond_to_search(user_name: "eiki").with { [] }
       end
 
       should "allow mods to see disapprover names" do
@@ -70,6 +70,20 @@ class PostDisapprovalsControllerTest < ActionDispatch::IntegrationTest
         assert_response :success
         assert_select "tr#post-disapproval-#{@post_disapproval.id} .created-column a.user-post-approver", false
       end
+
+      context "when a non-mod searches by disapprover name" do
+        should respond_to_search(user_name: "eiki").with { [] }
+      end
+
+      context "when a mod searches by disapprover name" do
+        setup { CurrentUser.user = create(:mod_user) }
+        should respond_to_search(user_name: "eiki").with { @user_disapproval }
+      end
+
+      context "when a disapprover searches by their own name" do
+        setup { CurrentUser.user = @approver }
+        should respond_to_search(user_name: "eiki").with { @user_disapproval }
+      end
     end
   end
 end