mod actions: fix ip unban and modreport actions being visible to non-mods.

Fix IP unban actions and moderation report handled/rejected actions being visible to non-moderators in the mod actions log. Moderation report actions didn't leak the modreport itself, but it did leak which moderator handled or rejected it.
2022-09-25 23:11:52 -05:00
parent 17c6a2d77b
commit 75a2814f18
2 changed files with 21 additions and 1 deletions
--- a/app/models/mod_action.rb
+++ b/app/models/mod_action.rb
@@ -77,7 +77,7 @@ class ModAction < ApplicationRecord
    if user.is_moderator?
      all
    else
-      where.not(category: [:ip_ban_create, :ip_ban_delete])
+      where.not(category: [:ip_ban_create, :ip_ban_delete, :ip_ban_undelete, :moderation_report_handled, :moderation_report_rejected])
    end
  end

--- a/test/functional/mod_actions_controller_test.rb
+++ b/test/functional/mod_actions_controller_test.rb
@@ -9,6 +9,26 @@ class ModActionsControllerTest < ActionDispatch::IntegrationTest
        assert_response :success
      end

+      should "hide ip ban actions from non-moderators" do
+        ip_ban = create(:ip_ban)
+        create(:mod_action, description: "undeleted ip ban for #{ip_ban.ip_addr}", subject: ip_ban)
+
+        get mod_actions_path(search: { category: "ip_ban_undelete" }), as: :json
+
+        assert_response :success
+        assert_equal(0, response.parsed_body.count)
+      end
+
+      should "hide moderation report actions from non-moderators" do
+        report = as(create(:user)) { create(:moderation_report, model: create(:comment)) }
+        create(:mod_action, description: "handled modreport ##{report.id}", category: "moderation_report_handled", subject: report)
+
+        get mod_actions_path, as: :json
+
+        assert_response :success
+        assert_equal(0, response.parsed_body.count)
+      end
+
      context "searching" do
        setup do
          @mod_action = create(:mod_action, description: "blah")