Fix saved searces, news updates, ip bans being dumped to BigQuery.

Prevent saved searches, news updates, and ip bans from being publicly dumped to BigQuery. They didn't override the `visible` method to restrict their visibility for anonymous users.
2021-03-10 02:25:56 -06:00
parent f235b72b3f
commit b169d60f64
7 changed files with 38 additions and 4 deletions
--- a/app/controllers/forum_topic_visits_controller.rb
+++ b/app/controllers/forum_topic_visits_controller.rb
@@ -2,7 +2,7 @@ class ForumTopicVisitsController < ApplicationController
  respond_to :xml, :json

  def index
-    @forum_topic_visits = ForumTopicVisit.where(user: CurrentUser.user).paginated_search(params)
+    @forum_topic_visits = ForumTopicVisit.visible(CurrentUser.user).paginated_search(params)
    respond_with(@forum_topic_visits)
  end
 end
--- a/app/controllers/news_updates_controller.rb
+++ b/app/controllers/news_updates_controller.rb
@@ -1,9 +1,9 @@
 class NewsUpdatesController < ApplicationController
-  respond_to :html
+  respond_to :html, :json, :xml

  def index
    authorize NewsUpdate
-    @news_updates = NewsUpdate.order("id desc").paginate(params[:page], :limit => params[:limit])
+    @news_updates = NewsUpdate.visible(CurrentUser.user).paginated_search(params, count_pages: true)
    respond_with(@news_updates)
  end

--- a/app/controllers/saved_searches_controller.rb
+++ b/app/controllers/saved_searches_controller.rb
@@ -2,7 +2,7 @@ class SavedSearchesController < ApplicationController
  respond_to :html, :xml, :json, :js

  def index
-    @saved_searches = authorize SavedSearch.where(user: CurrentUser.user).paginated_search(params, count_pages: true)
+    @saved_searches = authorize SavedSearch.visible(CurrentUser.user).paginated_search(params, count_pages: true)
    respond_with(@saved_searches)
  end

--- a/app/models/forum_topic_visit.rb
+++ b/app/models/forum_topic_visit.rb
@@ -2,6 +2,14 @@ class ForumTopicVisit < ApplicationRecord
  belongs_to :user
  belongs_to :forum_topic

+  def self.visible(user)
+    if user.is_owner?
+      all
+    else
+      where(user: user)
+    end
+  end
+
  def self.prune!(user)
    where("user_id = ? and last_read_at < ?", user.id, user.last_forum_read_at).delete_all
  end
--- a/app/models/ip_ban.rb
+++ b/app/models/ip_ban.rb
@@ -12,6 +12,14 @@ class IpBan < ApplicationRecord
    partial: 100
  }, _suffix: "ban"

+  def self.visible(user)
+    if user.is_moderator?
+      all
+    else
+      none
+    end
+  end
+
  def self.ip_matches(ip_addr)
    where("ip_addr >>= ?", ip_addr)
  end
--- a/app/models/news_update.rb
+++ b/app/models/news_update.rb
@@ -2,4 +2,18 @@ class NewsUpdate < ApplicationRecord
  belongs_to :creator, class_name: "User"
  belongs_to_updater
  scope :recent, -> {where("created_at >= ?", 2.weeks.ago).order("created_at desc").limit(5)}
+
+  def self.visible(user)
+    if user.is_admin?
+      all
+    else
+      none
+    end
+  end
+
+  def self.search(params)
+    q = search_attributes(params, :id, :created_at, :updated_at, :message, :creator, :updater)
+    q = q.apply_default_order(params)
+    q
+  end
 end
--- a/app/models/saved_search.rb
+++ b/app/models/saved_search.rb
@@ -14,6 +14,10 @@ class SavedSearch < ApplicationRecord
  scope :labeled, ->(label) { where_array_includes_any_lower(:labels, [normalize_label(label)]) }
  scope :has_tag, ->(name) { where_regex(:query, "(^| )[~-]?#{Regexp.escape(name)}( |$)", flags: "i") }

+  def self.visible(user)
+    where(user: user)
+  end
+
  concerning :Redis do
    extend Memoist