From be59e85d255265d42be1214b8b166638345ae51d Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Wed, 18 Mar 2020 01:43:04 -0500
Subject: [PATCH] pundit: convert ip addresses to pundit.

---
 app/controllers/ip_addresses_controller.rb       | 3 +--
 app/controllers/moderator/ip_addrs_controller.rb | 2 +-
 app/policies/ip_address_policy.rb                | 5 +++++
 app/views/users/_statistics.html.erb             | 2 +-
 test/functional/ip_addresses_controller_test.rb  | 5 +++++
 5 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 app/policies/ip_address_policy.rb

diff --git a/app/controllers/ip_addresses_controller.rb b/app/controllers/ip_addresses_controller.rb
index d111f7946..357b32b58 100644
--- a/app/controllers/ip_addresses_controller.rb
+++ b/app/controllers/ip_addresses_controller.rb
@@ -1,9 +1,8 @@
 class IpAddressesController < ApplicationController
   respond_to :html, :xml, :json
-  before_action :moderator_only
 
   def index
-    @ip_addresses = IpAddress.visible(CurrentUser.user).paginated_search(params)
+    @ip_addresses = authorize IpAddress.visible(CurrentUser.user).paginated_search(params)
 
     if search_params[:group_by] == "ip_addr"
       @ip_addresses = @ip_addresses.group_by_ip_addr(search_params[:ipv4_masklen], search_params[:ipv6_masklen])
diff --git a/app/controllers/moderator/ip_addrs_controller.rb b/app/controllers/moderator/ip_addrs_controller.rb
index 26f36d1ef..544d53040 100644
--- a/app/controllers/moderator/ip_addrs_controller.rb
+++ b/app/controllers/moderator/ip_addrs_controller.rb
@@ -1,9 +1,9 @@
 module Moderator
   class IpAddrsController < ApplicationController
-    before_action :moderator_only
     respond_to :html, :json
 
     def index
+      authorize IpAddress
       @search = IpAddrSearch.new(params[:search])
       @results = @search.execute
       respond_with(@results)
diff --git a/app/policies/ip_address_policy.rb b/app/policies/ip_address_policy.rb
new file mode 100644
index 000000000..4e30e78e2
--- /dev/null
+++ b/app/policies/ip_address_policy.rb
@@ -0,0 +1,5 @@
+class IpAddressPolicy < ApplicationPolicy
+  def index?
+    user.is_moderator?
+  end
+end
diff --git a/app/views/users/_statistics.html.erb b/app/views/users/_statistics.html.erb
index da98d877d..8a96ba485 100644
--- a/app/views/users/_statistics.html.erb
+++ b/app/views/users/_statistics.html.erb
@@ -10,7 +10,7 @@
         <th>Join Date</th>
         <td><%= presenter.join_date %></td>
       </tr>
-      <% if CurrentUser.is_moderator? %>
+      <% if policy(IpAddress).show? %>
         <tr>
           <th>Last IP</th>
           <td>
diff --git a/test/functional/ip_addresses_controller_test.rb b/test/functional/ip_addresses_controller_test.rb
index 54d1548fb..c70d9509a 100644
--- a/test/functional/ip_addresses_controller_test.rb
+++ b/test/functional/ip_addresses_controller_test.rb
@@ -34,6 +34,11 @@ class IpAddressesControllerTest < ActionDispatch::IntegrationTest
         get_auth ip_addresses_path(search: { user_id: @user.id, group_by: "ip_addr" }), @mod
         assert_response :success
       end
+
+      should "not allow non-moderators to view IP addresses" do
+        get_auth ip_addresses_path, @user
+        assert_response 403
+      end
     end
   end
 end