user events: let mods only see login/logout/signup events.

Adjust permissions on user events to let Moderators only see login,
logout, and user creation events, not other types of events (password
changes, etc). Admins can see everything. These other types of events
are meant for account security purposes and aren't very relevant for
sockpuppet detection purposes.

app/models/user_event.rb

@@ -22,8 +22,10 @@ class UserEvent < ApplicationRecord
   delegate :country, :city, :is_proxy?, to: :ip_geolocation, allow_nil: true
 
   def self.visible(user)
-    if user.is_moderator?
+    if user.is_admin?
       all
+    elsif user.is_moderator?
+      where(category: [:login, :logout, :user_creation]).or(where(user: user))
     else
       where(user: user)
     end

app/policies/user_session_policy.rb

@@ -1,5 +1,5 @@
 class UserSessionPolicy < ApplicationPolicy
   def index?
-    user.is_moderator?
+    user.is_admin?
   end
 end