jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix #4853: Users should not be able to search by disapprover

Browse Source
This commit is contained in:
evazion
2021-08-31 21:09:14 -05:00
parent 38c9559fe8
commit 374298a743
2 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
app/models/post_disapproval.rb
View File

@@ -20,13 +20,33 @@ class PostDisapproval < ApplicationRecord
concerning :SearchMethods do concerning :SearchMethods do
class_methods do class_methods do
def creator_matches(creator, searcher)
return none if creator.nil?
policy = Pundit.policy!(searcher, PostDisapproval.new(user: creator))
if policy.can_view_creator?
where(user: creator)
else
none
end
end
def search(params) def search(params)
q = search_attributes(params, :id, :created_at, :updated_at, :message, :reason, :user, :post) q = search_attributes(params, :id, :created_at, :updated_at, :message, :reason, :post)
q = q.text_attribute_matches(:message, params[:message_matches]) q = q.text_attribute_matches(:message, params[:message_matches])
q = q.with_message if params[:has_message].to_s.truthy? q = q.with_message if params[:has_message].to_s.truthy?
q = q.without_message if params[:has_message].to_s.falsy? q = q.without_message if params[:has_message].to_s.falsy?
if params[:user_id].present?
user = User.find(params[:user_id])
q = q.creator_matches(user, CurrentUser.user)
elsif params[:user_name].present?
user = User.find_by_name(params[:user_name])
q = q.creator_matches(user, CurrentUser.user)
end
case params[:order] case params[:order]
when "post_id", "post_id_desc" when "post_id", "post_id_desc"
q = q.order(post_id: :desc, id: :desc) q = q.order(post_id: :desc, id: :desc)

16
test/functional/post_disapprovals_controller_test.rb
View File

@@ -56,7 +56,7 @@ class PostDisapprovalsControllerTest < ActionDispatch::IntegrationTest
context "using includes" do context "using includes" do
should respond_to_search(post_tags_match: "touhou").with { @post_disapproval } should respond_to_search(post_tags_match: "touhou").with { @post_disapproval }
should respond_to_search(post: {uploader_name: "marisa"}).with { @post_disapproval } should respond_to_search(post: {uploader_name: "marisa"}).with { @post_disapproval }
should respond_to_search(user_name: "eiki").with { @user_disapproval } should respond_to_search(user_name: "eiki").with { [] }
end end
should "allow mods to see disapprover names" do should "allow mods to see disapprover names" do
@@ -70,6 +70,20 @@ class PostDisapprovalsControllerTest < ActionDispatch::IntegrationTest
assert_response :success assert_response :success
assert_select "tr#post-disapproval-#{@post_disapproval.id} .created-column a.user-post-approver", false assert_select "tr#post-disapproval-#{@post_disapproval.id} .created-column a.user-post-approver", false
end end
context "when a non-mod searches by disapprover name" do
should respond_to_search(user_name: "eiki").with { [] }
end
context "when a mod searches by disapprover name" do
setup { CurrentUser.user = create(:mod_user) }
should respond_to_search(user_name: "eiki").with { @user_disapproval }
end
context "when a disapprover searches by their own name" do
setup { CurrentUser.user = @approver }
should respond_to_search(user_name: "eiki").with { @user_disapproval }
end
end end
end end
end end