From 75a2814f185a94e9cd3b294b72dac742d0fbd7b2 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sun, 25 Sep 2022 23:11:52 -0500
Subject: [PATCH] mod actions: fix ip unban and modreport actions being visible
 to non-mods.

Fix IP unban actions and moderation report handled/rejected actions
being visible to non-moderators in the mod actions log.

Moderation report actions didn't leak the modreport itself, but it did
leak which moderator handled or rejected it.
---
 app/models/mod_action.rb                      |  2 +-
 .../functional/mod_actions_controller_test.rb | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/app/models/mod_action.rb b/app/models/mod_action.rb
index ba2b3066f..f895be5d7 100644
--- a/app/models/mod_action.rb
+++ b/app/models/mod_action.rb
@@ -77,7 +77,7 @@ class ModAction < ApplicationRecord
     if user.is_moderator?
       all
     else
-      where.not(category: [:ip_ban_create, :ip_ban_delete])
+      where.not(category: [:ip_ban_create, :ip_ban_delete, :ip_ban_undelete, :moderation_report_handled, :moderation_report_rejected])
     end
   end
 
diff --git a/test/functional/mod_actions_controller_test.rb b/test/functional/mod_actions_controller_test.rb
index 256a28a1b..475145591 100644
--- a/test/functional/mod_actions_controller_test.rb
+++ b/test/functional/mod_actions_controller_test.rb
@@ -9,6 +9,26 @@ class ModActionsControllerTest < ActionDispatch::IntegrationTest
         assert_response :success
       end
 
+      should "hide ip ban actions from non-moderators" do
+        ip_ban = create(:ip_ban)
+        create(:mod_action, description: "undeleted ip ban for #{ip_ban.ip_addr}", subject: ip_ban)
+
+        get mod_actions_path(search: { category: "ip_ban_undelete" }), as: :json
+
+        assert_response :success
+        assert_equal(0, response.parsed_body.count)
+      end
+
+      should "hide moderation report actions from non-moderators" do
+        report = as(create(:user)) { create(:moderation_report, model: create(:comment)) }
+        create(:mod_action, description: "handled modreport ##{report.id}", category: "moderation_report_handled", subject: report)
+
+        get mod_actions_path, as: :json
+
+        assert_response :success
+        assert_equal(0, response.parsed_body.count)
+      end
+
       context "searching" do
         setup do
           @mod_action = create(:mod_action, description: "blah")