From 7bf824f0dde60824ae44c9f5c79d12118d1ffdd6 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Fri, 23 Sep 2022 20:51:25 -0500
Subject: [PATCH] disapprovals: fix searching by user.

Fix searching post disapprovals by user to use the new `visible_for_search`
mechanism. This fixes it so you can do subsearches on the user field, like this:

* https://danbooru.donmai.us/post_disapprovals?search[user][level]=32 (find disapprovals by Builder-level approvers)
---
 app/models/post.rb                      |  2 +-
 app/models/post_disapproval.rb          | 22 +---------------------
 app/policies/post_disapproval_policy.rb | 13 +++++++++++++
 3 files changed, 15 insertions(+), 22 deletions(-)

diff --git a/app/models/post.rb b/app/models/post.rb
index a9dce2011..f2f1d6f3d 100644
--- a/app/models/post.rb
+++ b/app/models/post.rb
@@ -1209,7 +1209,7 @@ class Post < ApplicationRecord
           where(disapprovals: PostDisapproval.where(reason: query.downcase))
         else
           user = User.find_by_name(query)
-          where(disapprovals: PostDisapproval.creator_matches(user, current_user))
+          where(disapprovals: PostDisapproval.visible_for_search(:user, current_user).where(user: user))
         end
       end
 
diff --git a/app/models/post_disapproval.rb b/app/models/post_disapproval.rb
index 5da6e0cd9..d8aa60bd6 100644
--- a/app/models/post_disapproval.rb
+++ b/app/models/post_disapproval.rb
@@ -22,32 +22,12 @@ class PostDisapproval < ApplicationRecord
 
   concerning :SearchMethods do
     class_methods do
-      def creator_matches(creator, searcher)
-        return none if creator.nil?
-
-        policy = Pundit.policy!(searcher, PostDisapproval.new(user: creator))
-
-        if policy.can_view_creator?
-          where(user: creator)
-        else
-          none
-        end
-      end
-
       def search(params, current_user)
-        q = search_attributes(params, [:id, :created_at, :updated_at, :message, :reason, :post], current_user: current_user)
+        q = search_attributes(params, [:id, :created_at, :updated_at, :message, :reason, :post, :user], current_user: current_user)
 
         q = q.with_message if params[:has_message].to_s.truthy?
         q = q.without_message if params[:has_message].to_s.falsy?
 
-        if params[:user_id].present?
-          user = User.find(params[:user_id])
-          q = q.creator_matches(user, CurrentUser.user)
-        elsif params[:user_name].present?
-          user = User.find_by_name(params[:user_name])
-          q = q.creator_matches(user, CurrentUser.user)
-        end
-
         case params[:order]
         when "post_id", "post_id_desc"
           q = q.order(post_id: :desc, id: :desc)
diff --git a/app/policies/post_disapproval_policy.rb b/app/policies/post_disapproval_policy.rb
index a8b1ef27c..35230a1e9 100644
--- a/app/policies/post_disapproval_policy.rb
+++ b/app/policies/post_disapproval_policy.rb
@@ -9,6 +9,10 @@ class PostDisapprovalPolicy < ApplicationPolicy
     user.is_moderator? || record.user_id == user.id
   end
 
+  def can_search_creator?
+    user.is_moderator?
+  end
+
   def permitted_attributes_for_create
     [:post_id, :reason, :message]
   end
@@ -30,4 +34,13 @@ class PostDisapprovalPolicy < ApplicationPolicy
     attributes -= [:user_id] unless can_view_creator?
     attributes
   end
+
+  def visible_for_search(disapprovals, attribute)
+    case attribute
+    in :user | :user_id if !can_search_creator?
+      disapprovals.where(user: user)
+    else
+      disapprovals
+    end
+  end
 end