searchable: add framework for defining user search permissions.

Add a `visible_for_search` method to ApplicationPolicy that lets us define which fields a user is allowed to search for. For example, when a normal user searches for post flags by flagger name, they're only allowed to see their own flags, not flags by other users. But when a mod searches for flags by flagger name, they're allowed to see all flags, except for flags on their own uploads. This framework lets us define these rules in the `visible_for_search` method in the model's policy class, rather than as special cases in the `search` method of each model.
2022-09-21 15:53:04 -05:00
parent 6a9a679149
commit a35f49e905
8 changed files with 107 additions and 59 deletions
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -68,6 +68,21 @@ class ApplicationPolicy
    permitted_attributes_for_update
  end

+  # When a user performs a search, this method is used to filter out results
+  # that are hidden from the user based on what they're searching for. For
+  # example, if a user searches for post flags by flagger name, they can see
+  # their own flags, and if they're a moderator they can see flags on other
+  # users' uploads, but they can't see flags on their own uploads.
+  #
+  # @param relation [ActiveRecord::Relation] The current search.
+  # @param attribute [Symbol] The name of the attribute being searched by the user.
+  #
+  # @see ApplicationRecord#search
+  # @see app/logical/concerns/searchable.rb
+  def visible_for_search(relation, attribute = nil)
+    relation
+  end
+
  # The list of attributes that are permitted to be returned by the API.
  def api_attributes
    # XXX allow inet
--- a/app/policies/artist_commentary_version_policy.rb
+++ b/app/policies/artist_commentary_version_policy.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class ArtistCommentaryVersionPolicy < ApplicationPolicy
+end
--- a/app/policies/artist_url_policy.rb
+++ b/app/policies/artist_url_policy.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class ArtistURLPolicy < ApplicationPolicy
+end
--- a/app/policies/dtext_link_policy.rb
+++ b/app/policies/dtext_link_policy.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class DtextLinkPolicy < ApplicationPolicy
+end
--- a/app/policies/note_version_policy.rb
+++ b/app/policies/note_version_policy.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class NoteVersionPolicy < ApplicationPolicy
+end
--- a/app/policies/pool_version_policy.rb
+++ b/app/policies/pool_version_policy.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class PoolVersionPolicy < ApplicationPolicy
+end
--- a/app/policies/wiki_page_version_policy.rb
+++ b/app/policies/wiki_page_version_policy.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class WikiPageVersionPolicy < ApplicationPolicy
+end