Fix saved searces, news updates, ip bans being dumped to BigQuery.

Prevent saved searches, news updates, and ip bans from being publicly
dumped to BigQuery. They didn't override the `visible` method to
restrict their visibility for anonymous users.

app/controllers/forum_topic_visits_controller.rb

@@ -2,7 +2,7 @@ class ForumTopicVisitsController < ApplicationController
   respond_to :xml, :json
 
   def index
-    @forum_topic_visits = ForumTopicVisit.where(user: CurrentUser.user).paginated_search(params)
+    @forum_topic_visits = ForumTopicVisit.visible(CurrentUser.user).paginated_search(params)
     respond_with(@forum_topic_visits)
   end
 end

app/controllers/news_updates_controller.rb

@@ -1,9 +1,9 @@
 class NewsUpdatesController < ApplicationController
-  respond_to :html
+  respond_to :html, :json, :xml
 
   def index
     authorize NewsUpdate
-    @news_updates = NewsUpdate.order("id desc").paginate(params[:page], :limit => params[:limit])
+    @news_updates = NewsUpdate.visible(CurrentUser.user).paginated_search(params, count_pages: true)
     respond_with(@news_updates)
   end
 

app/controllers/saved_searches_controller.rb

@@ -2,7 +2,7 @@ class SavedSearchesController < ApplicationController
   respond_to :html, :xml, :json, :js
 
   def index
-    @saved_searches = authorize SavedSearch.where(user: CurrentUser.user).paginated_search(params, count_pages: true)
+    @saved_searches = authorize SavedSearch.visible(CurrentUser.user).paginated_search(params, count_pages: true)
     respond_with(@saved_searches)
   end
 

app/models/forum_topic_visit.rb

@@ -2,6 +2,14 @@ class ForumTopicVisit < ApplicationRecord
   belongs_to :user
   belongs_to :forum_topic
 
+  def self.visible(user)
+    if user.is_owner?
+      all
+    else
+      where(user: user)
+    end
+  end
+
   def self.prune!(user)
     where("user_id = ? and last_read_at < ?", user.id, user.last_forum_read_at).delete_all
   end

app/models/ip_ban.rb

@@ -12,6 +12,14 @@ class IpBan < ApplicationRecord
     partial: 100
   }, _suffix: "ban"
 
+  def self.visible(user)
+    if user.is_moderator?
+      all
+    else
+      none
+    end
+  end
+
   def self.ip_matches(ip_addr)
     where("ip_addr >>= ?", ip_addr)
   end

app/models/news_update.rb

@@ -2,4 +2,18 @@ class NewsUpdate < ApplicationRecord
   belongs_to :creator, class_name: "User"
   belongs_to_updater
   scope :recent, -> {where("created_at >= ?", 2.weeks.ago).order("created_at desc").limit(5)}
+
+  def self.visible(user)
+    if user.is_admin?
+      all
+    else
+      none
+    end
+  end
+
+  def self.search(params)
+    q = search_attributes(params, :id, :created_at, :updated_at, :message, :creator, :updater)
+    q = q.apply_default_order(params)
+    q
+  end
 end

app/models/saved_search.rb

@@ -14,6 +14,10 @@ class SavedSearch < ApplicationRecord
   scope :labeled, ->(label) { where_array_includes_any_lower(:labels, [normalize_label(label)]) }
   scope :has_tag, ->(name) { where_regex(:query, "(^| )[~-]?#{Regexp.escape(name)}( |$)", flags: "i") }
 
+  def self.visible(user)
+    where(user: user)
+  end
+
   concerning :Redis do
     extend Memoist