diff --git a/app/helpers/post_flags_helper.rb b/app/helpers/post_flags_helper.rb index d42f74d22..58b80523c 100644 --- a/app/helpers/post_flags_helper.rb +++ b/app/helpers/post_flags_helper.rb @@ -7,7 +7,7 @@ module PostFlagsHelper html << '
  • ' html << format_text(flag.reason, inline: true) - if CurrentUser.can_view_flagger?(flag.creator_id) + if CurrentUser.can_view_flagger_on_post?(flag) html << " - #{link_to_user(flag.creator)}" if CurrentUser.is_moderator? html << " (#{link_to_ip(flag.creator_ip_addr)})" diff --git a/app/logical/anonymous_user.rb b/app/logical/anonymous_user.rb index 53ffb6c6d..e3ac6d5fe 100644 --- a/app/logical/anonymous_user.rb +++ b/app/logical/anonymous_user.rb @@ -120,6 +120,10 @@ class AnonymousUser false end + def can_view_flagger_on_post?(flag) + false + end + def can_approve_posts? false end diff --git a/app/logical/post_query_builder.rb b/app/logical/post_query_builder.rb index af48955a8..5a5873dfe 100644 --- a/app/logical/post_query_builder.rb +++ b/app/logical/post_query_builder.rb @@ -227,7 +227,7 @@ class PostQueryBuilder if q[:flagger_ids_neg] q[:flagger_ids_neg].each do |flagger_id| if CurrentUser.can_view_flagger?(flagger_id) - post_ids = PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").pluck("distinct(post_id)") + post_ids = PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").select {|flag| flag.not_uploaded_by?(CurrentUser.id)}.map {|flag| flag.post_id}.uniq if post_ids.any? relation = relation.where("posts.id NOT IN (?)", post_ids) end @@ -242,7 +242,8 @@ class PostQueryBuilder elsif flagger_id == "none" relation = relation.where('NOT EXISTS (' + PostFlag.unscoped.search({:category => "normal"}).where('post_id = posts.id').reorder('').select('1').to_sql + ')') elsif CurrentUser.can_view_flagger?(flagger_id) - relation = relation.where("posts.id IN (?)", PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").select(:post_id).distinct) + post_ids = PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").select {|flag| flag.not_uploaded_by?(CurrentUser.id)}.map {|flag| flag.post_id}.uniq + relation = relation.where("posts.id IN (?)", post_ids) end end end diff --git a/app/models/post_event.rb b/app/models/post_event.rb index 09c9193f8..8c57bb8ab 100644 --- a/app/models/post_event.rb +++ b/app/models/post_event.rb @@ -30,7 +30,7 @@ class PostEvent true when PostFlag flag = event - user.can_view_flagger?(flag.creator_id) + user.can_view_flagger_on_post?(flag) end end diff --git a/app/models/post_flag.rb b/app/models/post_flag.rb index 93b0304c3..d573d399d 100644 --- a/app/models/post_flag.rb +++ b/app/models/post_flag.rb @@ -73,13 +73,19 @@ class PostFlag < ApplicationRecord q = q.reason_matches(params[:reason_matches]) end - if params[:creator_id].present? && CurrentUser.can_view_flagger?(params[:creator_id].to_i) - q = q.where("creator_id = ?", params[:creator_id].to_i) + if params[:creator_id].present? + if CurrentUser.can_view_flagger?(params[:creator_id].to_i) + q = q.where.not(post_id: CurrentUser.user.posts) + q = q.where("creator_id = ?", params[:creator_id].to_i) + else + q = q.where("false") + end end if params[:creator_name].present? flagger_id = User.name_to_id(params[:creator_name].strip) if flagger_id && CurrentUser.can_view_flagger?(flagger_id) + q = q.where.not(post_id: CurrentUser.user.posts) q = q.where("creator_id = ?", flagger_id) else q = q.where("false") @@ -122,7 +128,7 @@ class PostFlag < ApplicationRecord module ApiMethods def hidden_attributes list = super - unless CurrentUser.is_moderator? + unless CurrentUser.can_view_flagger_on_post?(self) list += [:creator_id] end super + list @@ -190,4 +196,12 @@ class PostFlag < ApplicationRecord def flag_count_for_creator PostFlag.where(:creator_id => creator_id).recent.count end + + def uploader_id + @uploader_id ||= Post.find(post_id).uploader_id + end + + def not_uploaded_by?(userid) + uploader_id != userid + end end diff --git a/app/models/user.rb b/app/models/user.rb index 79cf47fc2..8c004cbdd 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -557,6 +557,10 @@ class User < ApplicationRecord is_moderator? || flagger_id == id end + def can_view_flagger_on_post?(flag) + (is_moderator? && flag.not_uploaded_by?(id)) || flag.creator_id == id + end + def upload_limit @upload_limit ||= [max_upload_limit - used_upload_slots, 0].max end diff --git a/app/views/post_flags/index.html.erb b/app/views/post_flags/index.html.erb index 81b489f1a..598209725 100644 --- a/app/views/post_flags/index.html.erb +++ b/app/views/post_flags/index.html.erb @@ -39,7 +39,7 @@ <%= compact_time post_flag.created_at %> - <% if CurrentUser.can_view_flagger?(post_flag.creator_id) %> + <% if CurrentUser.can_view_flagger_on_post?(post_flag) %>
    by <%= link_to_user post_flag.creator %> <%= link_to "ยป", post_flags_path(search: params[:search].merge(creator_name: post_flag.creator.name)) %> <% end %> diff --git a/test/unit/post_flag_test.rb b/test/unit/post_flag_test.rb index 57ca38d8b..1eb00dd41 100644 --- a/test/unit/post_flag_test.rb +++ b/test/unit/post_flag_test.rb @@ -94,5 +94,26 @@ class PostFlagTest < ActiveSupport::TestCase assert_equal(IPAddr.new("127.0.0.2"), @post_flag.creator_ip_addr) end end + + context "a moderator user" do + setup do + Timecop.travel(2.weeks.ago) do + @dave = FactoryGirl.create(:moderator_user) + end + CurrentUser.user = @dave + end + + should "not be able to view flags on their own uploads" do + @modpost = FactoryGirl.create(:post, :tag_string => "mmm",:uploader_id => @dave.id) + CurrentUser.scoped(@alice) do + @flag1 = PostFlag.create(:post => @modpost, :reason => "aaa", :is_resolved => false) + end + assert_equal(false, @dave.can_view_flagger_on_post?(@flag1)) + flag2 = PostFlag.search(:creator_id => @alice.id) + assert_equal(0, flag2.length) + flag3 = PostFlag.search({}) + assert_nil(JSON.parse(flag3.to_json)[0]["creator_id"]) + end + end end end