Disallow a user from seeing flagger's name on own uploads

app/helpers/post_flags_helper.rb

@@ -7,7 +7,7 @@ module PostFlagsHelper
       html << '<li>'
       html << format_text(flag.reason, inline: true)
 
-      if CurrentUser.can_view_flagger?(flag.creator_id)
+      if CurrentUser.can_view_flagger_on_post?(flag)
         html << " - #{link_to_user(flag.creator)}"
         if CurrentUser.is_moderator?
            html << " (#{link_to_ip(flag.creator_ip_addr)})"

app/logical/anonymous_user.rb

@@ -120,6 +120,10 @@ class AnonymousUser
     false
   end
 
+  def can_view_flagger_on_post?(flag)
+    false
+  end
+
   def can_approve_posts?
     false
   end

app/logical/post_query_builder.rb

@@ -227,7 +227,7 @@ class PostQueryBuilder
     if q[:flagger_ids_neg]
       q[:flagger_ids_neg].each do |flagger_id|
         if CurrentUser.can_view_flagger?(flagger_id)
-          post_ids = PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").pluck("distinct(post_id)")
+          post_ids = PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").select {|flag| flag.not_uploaded_by?(CurrentUser.id)}.map {|flag| flag.post_id}.uniq
           if post_ids.any?
             relation = relation.where("posts.id NOT IN (?)", post_ids)
           end
@@ -242,7 +242,8 @@ class PostQueryBuilder
         elsif flagger_id == "none"
           relation = relation.where('NOT EXISTS (' + PostFlag.unscoped.search({:category => "normal"}).where('post_id = posts.id').reorder('').select('1').to_sql + ')')
         elsif CurrentUser.can_view_flagger?(flagger_id)
-            relation = relation.where("posts.id IN (?)", PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").select(:post_id).distinct)
+          post_ids = PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").select {|flag| flag.not_uploaded_by?(CurrentUser.id)}.map {|flag| flag.post_id}.uniq
+          relation = relation.where("posts.id IN (?)", post_ids)
         end
       end
     end

app/models/post_event.rb

@@ -30,7 +30,7 @@ class PostEvent
       true
     when PostFlag
       flag = event
-      user.can_view_flagger?(flag.creator_id)
+      user.can_view_flagger_on_post?(flag)
     end
   end
 

app/models/post_flag.rb

@@ -73,13 +73,19 @@ class PostFlag < ApplicationRecord
         q = q.reason_matches(params[:reason_matches])
       end
 
-      if params[:creator_id].present? && CurrentUser.can_view_flagger?(params[:creator_id].to_i)
-        q = q.where("creator_id = ?", params[:creator_id].to_i)
+      if params[:creator_id].present?
+        if CurrentUser.can_view_flagger?(params[:creator_id].to_i)
+          q = q.where.not(post_id: CurrentUser.user.posts)
+          q = q.where("creator_id = ?", params[:creator_id].to_i)
+        else
+          q = q.where("false")
+        end
       end
 
       if params[:creator_name].present?
         flagger_id = User.name_to_id(params[:creator_name].strip)
         if flagger_id && CurrentUser.can_view_flagger?(flagger_id)
+          q = q.where.not(post_id: CurrentUser.user.posts)
           q = q.where("creator_id = ?", flagger_id)
         else
           q = q.where("false")
@@ -122,7 +128,7 @@ class PostFlag < ApplicationRecord
   module ApiMethods
     def hidden_attributes
       list = super
-      unless CurrentUser.is_moderator?
+      unless CurrentUser.can_view_flagger_on_post?(self)
         list += [:creator_id]
       end
       super + list
@@ -190,4 +196,12 @@ class PostFlag < ApplicationRecord
   def flag_count_for_creator
     PostFlag.where(:creator_id => creator_id).recent.count
   end
+
+  def uploader_id
+    @uploader_id ||= Post.find(post_id).uploader_id
+  end
+
+  def not_uploaded_by?(userid)
+    uploader_id != userid
+  end
 end

app/models/user.rb

@@ -557,6 +557,10 @@ class User < ApplicationRecord
       is_moderator? || flagger_id == id
     end
 
+    def can_view_flagger_on_post?(flag)
+      (is_moderator? && flag.not_uploaded_by?(id)) || flag.creator_id == id
+    end
+
     def upload_limit
       @upload_limit ||= [max_upload_limit - used_upload_slots, 0].max
     end

app/views/post_flags/index.html.erb

@@ -39,7 +39,7 @@
             </td>
             <td>
               <%= compact_time post_flag.created_at %>
-              <% if CurrentUser.can_view_flagger?(post_flag.creator_id) %>
+              <% if CurrentUser.can_view_flagger_on_post?(post_flag) %>
                 <br> by <%= link_to_user post_flag.creator %>
                 <%= link_to "»", post_flags_path(search: params[:search].merge(creator_name: post_flag.creator.name)) %>
               <% end %>

test/unit/post_flag_test.rb

@@ -94,5 +94,26 @@ class PostFlagTest < ActiveSupport::TestCase
         assert_equal(IPAddr.new("127.0.0.2"), @post_flag.creator_ip_addr)
       end
     end
+
+    context "a moderator user" do
+      setup do
+        Timecop.travel(2.weeks.ago) do
+          @dave = FactoryGirl.create(:moderator_user)
+        end
+        CurrentUser.user = @dave
+      end
+
+      should "not be able to view flags on their own uploads" do
+        @modpost = FactoryGirl.create(:post, :tag_string => "mmm",:uploader_id => @dave.id)
+        CurrentUser.scoped(@alice) do
+          @flag1 = PostFlag.create(:post => @modpost, :reason => "aaa", :is_resolved => false)
+        end
+        assert_equal(false, @dave.can_view_flagger_on_post?(@flag1))
+        flag2 = PostFlag.search(:creator_id => @alice.id)
+        assert_equal(0, flag2.length)
+        flag3 = PostFlag.search({})
+        assert_nil(JSON.parse(flag3.to_json)[0]["creator_id"])
+      end
+    end
   end
 end