Disallow a user from seeing flagger's name on own uploads

2017-11-07 20:02:03 -08:00
parent af7c109912
commit 5b4ab8d80e
8 changed files with 52 additions and 8 deletions
--- a/app/helpers/post_flags_helper.rb
+++ b/app/helpers/post_flags_helper.rb
@@ -7,7 +7,7 @@ module PostFlagsHelper
      html << '<li>'
      html << format_text(flag.reason, inline: true)
-      if CurrentUser.can_view_flagger?(flag.creator_id)
+      if CurrentUser.can_view_flagger_on_post?(flag)
        html << " - #{link_to_user(flag.creator)}"
        if CurrentUser.is_moderator?
           html << " (#{link_to_ip(flag.creator_ip_addr)})"
--- a/app/logical/anonymous_user.rb
+++ b/app/logical/anonymous_user.rb
@@ -120,6 +120,10 @@ class AnonymousUser
    false
  end
  def can_view_flagger_on_post?(flag)
    false
  end
  def can_approve_posts?
    false
  end
--- a/app/logical/post_query_builder.rb
+++ b/app/logical/post_query_builder.rb
@@ -227,7 +227,7 @@ class PostQueryBuilder
    if q[:flagger_ids_neg]
      q[:flagger_ids_neg].each do |flagger_id|
        if CurrentUser.can_view_flagger?(flagger_id)
-          post_ids = PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").pluck("distinct(post_id)")
+          post_ids = PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").select {|flag| flag.not_uploaded_by?(CurrentUser.id)}.map {|flag| flag.post_id}.uniq
          if post_ids.any?
            relation = relation.where("posts.id NOT IN (?)", post_ids)
          end
@@ -242,7 +242,8 @@ class PostQueryBuilder
        elsif flagger_id == "none"
          relation = relation.where('NOT EXISTS (' + PostFlag.unscoped.search({:category => "normal"}).where('post_id = posts.id').reorder('').select('1').to_sql + ')')
        elsif CurrentUser.can_view_flagger?(flagger_id)
-            relation = relation.where("posts.id IN (?)", PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").select(:post_id).distinct)
+          post_ids = PostFlag.unscoped.search({:creator_id => flagger_id, :category => "normal"}).reorder("").select {|flag| flag.not_uploaded_by?(CurrentUser.id)}.map {|flag| flag.post_id}.uniq
          relation = relation.where("posts.id IN (?)", post_ids)
        end
      end
    end
--- a/app/models/post_event.rb
+++ b/app/models/post_event.rb
@@ -30,7 +30,7 @@ class PostEvent
      true
    when PostFlag
      flag = event
-      user.can_view_flagger?(flag.creator_id)
+      user.can_view_flagger_on_post?(flag)
    end
  end
--- a/app/models/post_flag.rb
+++ b/app/models/post_flag.rb
@@ -73,13 +73,19 @@ class PostFlag < ApplicationRecord
        q = q.reason_matches(params[:reason_matches])
      end
-      if params[:creator_id].present? && CurrentUser.can_view_flagger?(params[:creator_id].to_i)
+      if params[:creator_id].present?
-        q = q.where("creator_id = ?", params[:creator_id].to_i)
+        if CurrentUser.can_view_flagger?(params[:creator_id].to_i)
          q = q.where.not(post_id: CurrentUser.user.posts)
          q = q.where("creator_id = ?", params[:creator_id].to_i)
        else
          q = q.where("false")
        end
      end
      if params[:creator_name].present?
        flagger_id = User.name_to_id(params[:creator_name].strip)
        if flagger_id && CurrentUser.can_view_flagger?(flagger_id)
          q = q.where.not(post_id: CurrentUser.user.posts)
          q = q.where("creator_id = ?", flagger_id)
        else
          q = q.where("false")
@@ -122,7 +128,7 @@ class PostFlag < ApplicationRecord
  module ApiMethods
    def hidden_attributes
      list = super
-      unless CurrentUser.is_moderator?
+      unless CurrentUser.can_view_flagger_on_post?(self)
        list += [:creator_id]
      end
      super + list
@@ -190,4 +196,12 @@ class PostFlag < ApplicationRecord
  def flag_count_for_creator
    PostFlag.where(:creator_id => creator_id).recent.count
  end
  def uploader_id
    @uploader_id ||= Post.find(post_id).uploader_id
  end
  def not_uploaded_by?(userid)
    uploader_id != userid
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -557,6 +557,10 @@ class User < ApplicationRecord
      is_moderator? || flagger_id == id
    end
    def can_view_flagger_on_post?(flag)
      (is_moderator? && flag.not_uploaded_by?(id)) || flag.creator_id == id
    end
    def upload_limit
      @upload_limit ||= [max_upload_limit - used_upload_slots, 0].max
    end
--- a/app/views/post_flags/index.html.erb
+++ b/app/views/post_flags/index.html.erb
@@ -39,7 +39,7 @@
            </td>
            <td>
              <%= compact_time post_flag.created_at %>
-              <% if CurrentUser.can_view_flagger?(post_flag.creator_id) %>
+              <% if CurrentUser.can_view_flagger_on_post?(post_flag) %>
                <br> by <%= link_to_user post_flag.creator %>
                <%= link_to "»", post_flags_path(search: params[:search].merge(creator_name: post_flag.creator.name)) %>
              <% end %>
--- a/test/unit/post_flag_test.rb
+++ b/test/unit/post_flag_test.rb
@@ -94,5 +94,26 @@ class PostFlagTest < ActiveSupport::TestCase
        assert_equal(IPAddr.new("127.0.0.2"), @post_flag.creator_ip_addr)
      end
    end
    context "a moderator user" do
      setup do
        Timecop.travel(2.weeks.ago) do
          @dave = FactoryGirl.create(:moderator_user)
        end
        CurrentUser.user = @dave
      end
      should "not be able to view flags on their own uploads" do
        @modpost = FactoryGirl.create(:post, :tag_string => "mmm",:uploader_id => @dave.id)
        CurrentUser.scoped(@alice) do
          @flag1 = PostFlag.create(:post => @modpost, :reason => "aaa", :is_resolved => false)
        end
        assert_equal(false, @dave.can_view_flagger_on_post?(@flag1))
        flag2 = PostFlag.search(:creator_id => @alice.id)
        assert_equal(0, flag2.length)
        flag3 = PostFlag.search({})
        assert_nil(JSON.parse(flag3.to_json)[0]["creator_id"])
      end
    end
  end
 end