From 7537edb2112947bf54061c6506a5f240a58fc93e Mon Sep 17 00:00:00 2001 From: evazion Date: Tue, 12 Jan 2021 16:44:53 -0600 Subject: [PATCH] user events: let mods only see login/logout/signup events. Adjust permissions on user events to let Moderators only see login, logout, and user creation events, not other types of events (password changes, etc). Admins can see everything. These other types of events are meant for account security purposes and aren't very relevant for sockpuppet detection purposes. --- app/models/user_event.rb | 4 +++- app/policies/user_session_policy.rb | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/models/user_event.rb b/app/models/user_event.rb index 752a02398..ce700a3a4 100644 --- a/app/models/user_event.rb +++ b/app/models/user_event.rb @@ -22,8 +22,10 @@ class UserEvent < ApplicationRecord delegate :country, :city, :is_proxy?, to: :ip_geolocation, allow_nil: true def self.visible(user) - if user.is_moderator? + if user.is_admin? all + elsif user.is_moderator? + where(category: [:login, :logout, :user_creation]).or(where(user: user)) else where(user: user) end diff --git a/app/policies/user_session_policy.rb b/app/policies/user_session_policy.rb index cb84fe503..db6a26d38 100644 --- a/app/policies/user_session_policy.rb +++ b/app/policies/user_session_policy.rb @@ -1,5 +1,5 @@ class UserSessionPolicy < ApplicationPolicy def index? - user.is_moderator? + user.is_admin? end end