From 9ef80d7344842a8f198ec52cd28d405b9fab8914 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sun, 16 Feb 2020 20:25:01 -0600
Subject: [PATCH] post_disapprovals/index: don't show usernames to other users.

* Don't show who disapproved the post to other users. Only show the
  creator to mods or to the disapprover themselves.
* Let unprivileged users see the /post_disapprovals index.
---
 app/controllers/post_disapprovals_controller.rb |  2 +-
 app/models/post_disapproval.rb                  | 16 ++++++++++------
 app/views/post_disapprovals/index.html.erb      |  7 +++++--
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/app/controllers/post_disapprovals_controller.rb b/app/controllers/post_disapprovals_controller.rb
index ae6ea8947..747f3ad31 100644
--- a/app/controllers/post_disapprovals_controller.rb
+++ b/app/controllers/post_disapprovals_controller.rb
@@ -1,5 +1,5 @@
 class PostDisapprovalsController < ApplicationController
-  before_action :approver_only
+  before_action :approver_only, only: [:create]
   skip_before_action :api_check
   respond_to :js, :html, :json, :xml
 
diff --git a/app/models/post_disapproval.rb b/app/models/post_disapproval.rb
index d1a2887b4..76540365a 100644
--- a/app/models/post_disapproval.rb
+++ b/app/models/post_disapproval.rb
@@ -39,12 +39,6 @@ class PostDisapproval < ApplicationRecord
     end
   end
 
-  def create_downvote
-    if %w(breaks_rules poor_quality).include?(reason)
-      PostVote.create(:score => -1, :post_id => post_id)
-    end
-  end
-
   concerning :SearchMethods do
     class_methods do
       def search(params)
@@ -71,4 +65,14 @@ class PostDisapproval < ApplicationRecord
   def self.available_includes
     [:user, :post]
   end
+
+  def can_view_creator?(user)
+    user.is_moderator? || user_id == user.id
+  end
+
+  def api_attributes
+    attributes = super
+    attributes -= [:creator_id] unless can_view_creator?(CurrentUser.user)
+    attributes
+  end
 end
diff --git a/app/views/post_disapprovals/index.html.erb b/app/views/post_disapprovals/index.html.erb
index 813edf960..d878024da 100644
--- a/app/views/post_disapprovals/index.html.erb
+++ b/app/views/post_disapprovals/index.html.erb
@@ -27,8 +27,11 @@
         <%= link_to post_disapproval.reason.humanize, post_disapprovals_path(search: params[:search].merge(reason: post_disapproval.reason)) %>
       <% end %>
       <% t.column "Created" do |post_disapproval| %>
-        <%= link_to_user post_disapproval.user %>
-        <%= link_to "»", post_disapprovals_path(search: params[:search].merge(creator_name: post_disapproval.user&.name)) %>
+        <% if post_disapproval.can_view_creator?(CurrentUser.user) %>
+          <%= link_to_user post_disapproval.user %>
+          <%= link_to "»", post_disapprovals_path(search: params[:search].merge(creator_name: post_disapproval.user&.name)) %>
+        <% end %>
+
         <p>
           <%= compact_time(post_disapproval.updated_at) %>
         </p>