Fix #4105: IP bans leak banned IPs in /mod_actions.

app/models/mod_action.rb

@@ -73,6 +73,14 @@ class ModAction < ApplicationRecord
     q.apply_default_order(params)
   end
 
+  def filtered_description
+    if (ip_ban_create? || ip_ban_delete?) && !CurrentUser.user.is_moderator?
+      description.gsub(/(created|deleted) ip ban for .*/, "\\1 ip ban")
+    else
+      description
+    end
+  end
+
   def category_id
     self.class.categories[category]
   end
@@ -81,6 +89,10 @@ class ModAction < ApplicationRecord
     super + [:category_id]
   end
 
+  def serializable_hash(*args)
+    super(*args).merge("description" => filtered_description)
+  end
+
   def self.log(desc, cat = :other)
     create(:description => desc,:category => categories[cat])
   end

app/views/mod_actions/index.html.erb

@@ -17,7 +17,7 @@
           <tr>
             <td><%= compact_time mod_action.created_at %></td>
             <td><%= link_to_user mod_action.creator %></td>
-            <td><%= format_text(mod_action.description) %></td>
+            <td><%= format_text(mod_action.filtered_description) %></td>
           </tr>
         <% end %>
       </tbody>

test/unit/mod_action_test.rb

@@ -0,0 +1,19 @@
+require 'test_helper'
+
+class ModActionTest < ActiveSupport::TestCase
+  context "A mod action" do
+    setup do
+      @user = FactoryBot.create(:user)
+      CurrentUser.user = @user
+      CurrentUser.ip_addr = "127.0.0.1"
+    end
+
+    should "hide ip addresses from non-moderators in ip ban modactions" do
+      FactoryBot.create(:ip_ban, ip_addr: "1.1.1.1", reason: "test")
+
+      assert_equal(1, ModAction.count)
+      assert_equal("#{@user.name} created ip ban", ModAction.last.filtered_description)
+      assert_equal("#{@user.name} created ip ban", ModAction.last.as_json["description"])
+    end
+  end
+end