From b695c4ccb1bfbd379544433af76f09fd514887ee Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sun, 6 Feb 2022 14:39:08 -0600
Subject: [PATCH] modreports: fix private user information leak in new
 modreport action.

Fix this:

    https://danbooru.donmai.us/moderation_reports/new.json?moderation_report[model_id]=52664&moderation_report[model_type]=User

raising an `undefined method `reportable?' for #<UserPolicy ...>`
exception, which contained the full user object in the error message,
which leaked private user information.
---
 app/policies/moderation_report_policy.rb              | 2 +-
 test/functional/moderation_reports_controller_test.rb | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/policies/moderation_report_policy.rb b/app/policies/moderation_report_policy.rb
index 5169e69fc..9202e74d8 100644
--- a/app/policies/moderation_report_policy.rb
+++ b/app/policies/moderation_report_policy.rb
@@ -10,7 +10,7 @@ class ModerationReportPolicy < ApplicationPolicy
   end
 
   def create?
-    unbanned? && policy(record.model).reportable?
+    unbanned? && policy(record.model).try(:reportable?)
   end
 
   def update?
diff --git a/test/functional/moderation_reports_controller_test.rb b/test/functional/moderation_reports_controller_test.rb
index 509cda989..830d8f923 100644
--- a/test/functional/moderation_reports_controller_test.rb
+++ b/test/functional/moderation_reports_controller_test.rb
@@ -24,6 +24,12 @@ class ModerationReportsControllerTest < ActionDispatch::IntegrationTest
         get_auth new_moderation_report_path, @user, params: {:moderation_report => {:model_id => @comment.id, :model_type => "Comment"}}
         assert_response :success
       end
+
+      should "not raise an exception when given an invalid model" do
+        @user = create(:user)
+        get_auth new_moderation_report_path(moderation_report: { model_type: "User", model_id: @user.id }), @user
+        assert_response 403
+      end
     end
 
     context "index action" do