From d84184b5f10ea337c7217b00c5dc9fd2a998d7b5 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Fri, 14 Oct 2016 04:40:48 +0000
Subject: [PATCH] Prevent anon/banned/member users from voting (fix #2719).

There was a regression in 6d6d00b; `before_filter :voter_only` was a
no-op in the post vote controller because it merely returned false,
which does not halt the request. The fix is to arrange for a voter_only
method to be defined that properly redirects to the access denied page.
---
 app/controllers/application_controller.rb |  6 +++---
 app/controllers/post_votes_controller.rb  |  6 ------
 app/models/user.rb                        | 14 ++++++++++++++
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 19b6d6a05..36a81839d 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -133,9 +133,9 @@ protected
     end
   end
 
-  %w(member banned builder gold platinum janitor moderator admin).each do |level|
-    define_method("#{level}_only") do
-      if !CurrentUser.user.is_banned_or_ip_banned? && CurrentUser.user.__send__("is_#{level}?")
+  User::Roles.each do |role|
+    define_method("#{role}_only") do
+      if !CurrentUser.user.is_banned_or_ip_banned? && CurrentUser.user.__send__("is_#{role}?")
         true
       else
         access_denied()
diff --git a/app/controllers/post_votes_controller.rb b/app/controllers/post_votes_controller.rb
index e4c8071fa..b94cf8bb1 100644
--- a/app/controllers/post_votes_controller.rb
+++ b/app/controllers/post_votes_controller.rb
@@ -14,10 +14,4 @@ class PostVotesController < ApplicationController
   rescue PostVote::Error => x
     @error = x
   end
-
-protected
-
-  def voter_only
-    CurrentUser.is_voter?
-  end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index c3df8269a..a1eb4b248 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -16,6 +16,16 @@ class User < ActiveRecord::Base
     ADMIN = 50
   end
 
+  # Used for `before_filter :<role>_only`. Must have a corresponding `is_<role>?` method.
+  Roles = Levels.constants.map(&:downcase) + [
+    :anonymous,
+    :banned,
+    :approver,
+    :voter,
+    :super_voter,
+    :verified,
+  ]
+
   BOOLEAN_ATTRIBUTES = %w(
     is_banned
     has_mail
@@ -384,6 +394,10 @@ class User < ActiveRecord::Base
       true
     end
 
+    def is_blocked?
+      is_banned?
+    end
+
     def is_builder?
       level >= Levels::BUILDER
     end