Fix #4544: Show limited view of other user's uploads on the upload index.

* Show completed uploads to other users. * Don't show failed or incomplete uploads to other users. * Don't show tags to other users. * Delete completed uploads after 1 hour. * Delete incomplete uploads after 1 day. * Delete failed uploads after 3 days.
2020-07-13 18:58:40 -05:00
parent 85f464df83
commit ed79b623cc
6 changed files with 31 additions and 13 deletions
--- a/app/logical/danbooru_maintenance.rb
+++ b/app/logical/danbooru_maintenance.rb
@@ -2,11 +2,11 @@ module DanbooruMaintenance
  module_function

  def hourly
+    safely { Upload.prune! }
  end

  def daily
    safely { PostPruner.new.prune! }
-    safely { Upload.prune! }
    safely { Delayed::Job.where('created_at < ?', 45.days.ago).delete_all }
    safely { PostDisapproval.prune! }
    safely { regenerate_post_counts! }
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -75,6 +75,7 @@ class Upload < ApplicationRecord

  scope :pending, -> { where(status: "pending") }
  scope :preprocessed, -> { where(status: "preprocessed") }
+  scope :completed, -> { where(status: "completed") }
  scope :uploaded_by, ->(user_id) { where(uploader_id: user_id) }

  def initialize_attributes
@@ -83,17 +84,19 @@ class Upload < ApplicationRecord
    self.server = Socket.gethostname
  end

-  def self.prune!(date = 1.day.ago)
-    where("created_at < ?", date).lock.destroy_all
+  def self.prune!
+    completed.where("created_at < ?", 1.hour.ago).lock.destroy_all
+    preprocessed.where("created_at < ?", 1.day.ago).lock.destroy_all
+    where("created_at < ?", 3.days.ago).lock.destroy_all
  end

  def self.visible(user)
    if user.is_admin?
      all
    elsif user.is_member?
-      where(uploader: user)
+      completed.or(where(uploader: user))
    else
-      none
+      completed
    end
  end

@@ -108,7 +111,7 @@ class Upload < ApplicationRecord
        return
      end

-      DanbooruLogger.info("Uploads: Deleting files for upload md5=#{md5}", upload: as_json)
+      DanbooruLogger.info("Uploads: Deleting files for upload md5=#{md5}")
      Danbooru.config.storage_manager.delete_file(nil, md5, file_ext, :original)
      Danbooru.config.storage_manager.delete_file(nil, md5, file_ext, :large)
      Danbooru.config.storage_manager.delete_file(nil, md5, file_ext, :preview)
--- a/app/policies/upload_policy.rb
+++ b/app/policies/upload_policy.rb
@@ -1,6 +1,6 @@
 class UploadPolicy < ApplicationPolicy
  def show?
-    user.is_admin? || record.uploader_id == user.id
+    record.is_completed? || user.is_admin? || record.uploader_id == user.id
  end

  def batch?
@@ -15,9 +15,19 @@ class UploadPolicy < ApplicationPolicy
    unbanned?
  end

+  def can_view_tags?
+    user.is_admin? || record.uploader_id == user.id
+  end
+
  def permitted_attributes
    %i[file source tag_string rating status parent_id artist_commentary_title
       artist_commentary_desc referer_url
       md5_confirmation as_pending translated_commentary_title translated_commentary_desc]
  end
+
+  def api_attributes
+    attributes = super
+    attributes -= [:tag_string] unless can_view_tags?
+    attributes
+  end
 end
--- a/app/views/uploads/index.html.erb
+++ b/app/views/uploads/index.html.erb
@@ -44,10 +44,12 @@
          <br>
        <% end %>

-        <span class="info">
-          <strong>Tags</strong>
-          <%= TagSetPresenter.new(upload.tag_string.split).inline_tag_list_html %>
-        </span>
+        <% if policy(upload).can_view_tags? %>
+          <span class="info">
+            <strong>Tags</strong>
+            <%= TagSetPresenter.new(upload.tag_string.split).inline_tag_list_html %>
+          </span>
+        <% end %>
      <% end %>
      <% t.column "Uploader" do |upload| %>
        <%= link_to_user upload.uploader %>
--- a/app/views/uploads/show.html.erb
+++ b/app/views/uploads/show.html.erb
@@ -5,7 +5,9 @@
    <ul>
      <li>Date: <%= @upload.created_at %></li>
      <li>Source: <%= @upload.source %></li>
-      <li>Tags: <%= @upload.tag_string %></li>
+      <% if policy(@upload).can_view_tags? %>
+        <li>Tags: <%= @upload.tag_string %></li>
+      <% end %>
      <% if @upload.md5.present? %>
        <li>MD5: <%= @upload.md5 %>
      <% end %>
--- a/test/unit/upload_service_test.rb
+++ b/test/unit/upload_service_test.rb
@@ -947,8 +947,9 @@ class UploadServiceTest < ActiveSupport::TestCase

    should "delete stale upload records" do
      @upload = as(@user) { UploadService.new(file: upload_file("test/files/test.jpg")).start! }
+      @upload.update!(created_at: 1.month.ago)

-      assert_difference("Upload.count", -1) { Upload.prune!(0.seconds.ago) }
+      assert_difference("Upload.count", -1) { Upload.prune! }
    end

    should "delete unused files after deleting the upload" do