post_disapprovals/index: don't show usernames to other users.

* Don't show who disapproved the post to other users. Only show the
  creator to mods or to the disapprover themselves.
* Let unprivileged users see the /post_disapprovals index.

app/controllers/post_disapprovals_controller.rb

@@ -1,5 +1,5 @@
 class PostDisapprovalsController < ApplicationController
-  before_action :approver_only
+  before_action :approver_only, only: [:create]
   skip_before_action :api_check
   respond_to :js, :html, :json, :xml
 

app/models/post_disapproval.rb

@@ -39,12 +39,6 @@ class PostDisapproval < ApplicationRecord
     end
   end
 
-  def create_downvote
-    if %w(breaks_rules poor_quality).include?(reason)
-      PostVote.create(:score => -1, :post_id => post_id)
-    end
-  end
-
   concerning :SearchMethods do
     class_methods do
       def search(params)
@@ -71,4 +65,14 @@ class PostDisapproval < ApplicationRecord
   def self.available_includes
     [:user, :post]
   end
+
+  def can_view_creator?(user)
+    user.is_moderator? || user_id == user.id
+  end
+
+  def api_attributes
+    attributes = super
+    attributes -= [:creator_id] unless can_view_creator?(CurrentUser.user)
+    attributes
+  end
 end

app/views/post_disapprovals/index.html.erb

@@ -27,8 +27,11 @@
         <%= link_to post_disapproval.reason.humanize, post_disapprovals_path(search: params[:search].merge(reason: post_disapproval.reason)) %>
       <% end %>
       <% t.column "Created" do |post_disapproval| %>
-        <%= link_to_user post_disapproval.user %>
-        <%= link_to "»", post_disapprovals_path(search: params[:search].merge(creator_name: post_disapproval.user&.name)) %>
+        <% if post_disapproval.can_view_creator?(CurrentUser.user) %>
+          <%= link_to_user post_disapproval.user %>
+          <%= link_to "»", post_disapprovals_path(search: params[:search].merge(creator_name: post_disapproval.user&.name)) %>
+        <% end %>
+
         <p>
           <%= compact_time(post_disapproval.updated_at) %>
         </p>