From ed79b623cc3f1d6b23c8363366498a957a5b6348 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 13 Jul 2020 18:58:40 -0500
Subject: [PATCH] Fix #4544: Show limited view of other user's uploads on the
 upload index.

* Show completed uploads to other users.
* Don't show failed or incomplete uploads to other users.
* Don't show tags to other users.
* Delete completed uploads after 1 hour.
* Delete incomplete uploads after 1 day.
* Delete failed uploads after 3 days.
---
 app/logical/danbooru_maintenance.rb |  2 +-
 app/models/upload.rb                | 13 ++++++++-----
 app/policies/upload_policy.rb       | 12 +++++++++++-
 app/views/uploads/index.html.erb    | 10 ++++++----
 app/views/uploads/show.html.erb     |  4 +++-
 test/unit/upload_service_test.rb    |  3 ++-
 6 files changed, 31 insertions(+), 13 deletions(-)

diff --git a/app/logical/danbooru_maintenance.rb b/app/logical/danbooru_maintenance.rb
index d03339344..e12a12f51 100644
--- a/app/logical/danbooru_maintenance.rb
+++ b/app/logical/danbooru_maintenance.rb
@@ -2,11 +2,11 @@ module DanbooruMaintenance
   module_function
 
   def hourly
+    safely { Upload.prune! }
   end
 
   def daily
     safely { PostPruner.new.prune! }
-    safely { Upload.prune! }
     safely { Delayed::Job.where('created_at < ?', 45.days.ago).delete_all }
     safely { PostDisapproval.prune! }
     safely { regenerate_post_counts! }
diff --git a/app/models/upload.rb b/app/models/upload.rb
index e7b2651fb..3d46380b7 100644
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -75,6 +75,7 @@ class Upload < ApplicationRecord
 
   scope :pending, -> { where(status: "pending") }
   scope :preprocessed, -> { where(status: "preprocessed") }
+  scope :completed, -> { where(status: "completed") }
   scope :uploaded_by, ->(user_id) { where(uploader_id: user_id) }
 
   def initialize_attributes
@@ -83,17 +84,19 @@ class Upload < ApplicationRecord
     self.server = Socket.gethostname
   end
 
-  def self.prune!(date = 1.day.ago)
-    where("created_at < ?", date).lock.destroy_all
+  def self.prune!
+    completed.where("created_at < ?", 1.hour.ago).lock.destroy_all
+    preprocessed.where("created_at < ?", 1.day.ago).lock.destroy_all
+    where("created_at < ?", 3.days.ago).lock.destroy_all
   end
 
   def self.visible(user)
     if user.is_admin?
       all
     elsif user.is_member?
-      where(uploader: user)
+      completed.or(where(uploader: user))
     else
-      none
+      completed
     end
   end
 
@@ -108,7 +111,7 @@ class Upload < ApplicationRecord
         return
       end
 
-      DanbooruLogger.info("Uploads: Deleting files for upload md5=#{md5}", upload: as_json)
+      DanbooruLogger.info("Uploads: Deleting files for upload md5=#{md5}")
       Danbooru.config.storage_manager.delete_file(nil, md5, file_ext, :original)
       Danbooru.config.storage_manager.delete_file(nil, md5, file_ext, :large)
       Danbooru.config.storage_manager.delete_file(nil, md5, file_ext, :preview)
diff --git a/app/policies/upload_policy.rb b/app/policies/upload_policy.rb
index 66b5d5ff1..a5c7f7211 100644
--- a/app/policies/upload_policy.rb
+++ b/app/policies/upload_policy.rb
@@ -1,6 +1,6 @@
 class UploadPolicy < ApplicationPolicy
   def show?
-    user.is_admin? || record.uploader_id == user.id
+    record.is_completed? || user.is_admin? || record.uploader_id == user.id
   end
 
   def batch?
@@ -15,9 +15,19 @@ class UploadPolicy < ApplicationPolicy
     unbanned?
   end
 
+  def can_view_tags?
+    user.is_admin? || record.uploader_id == user.id
+  end
+
   def permitted_attributes
     %i[file source tag_string rating status parent_id artist_commentary_title
        artist_commentary_desc referer_url
        md5_confirmation as_pending translated_commentary_title translated_commentary_desc]
   end
+
+  def api_attributes
+    attributes = super
+    attributes -= [:tag_string] unless can_view_tags?
+    attributes
+  end
 end
diff --git a/app/views/uploads/index.html.erb b/app/views/uploads/index.html.erb
index 55e75beb2..eb4b63946 100644
--- a/app/views/uploads/index.html.erb
+++ b/app/views/uploads/index.html.erb
@@ -44,10 +44,12 @@
           <br>
         <% end %>
 
-        <span class="info">
-          <strong>Tags</strong>
-          <%= TagSetPresenter.new(upload.tag_string.split).inline_tag_list_html %>
-        </span>
+        <% if policy(upload).can_view_tags? %>
+          <span class="info">
+            <strong>Tags</strong>
+            <%= TagSetPresenter.new(upload.tag_string.split).inline_tag_list_html %>
+          </span>
+        <% end %>
       <% end %>
       <% t.column "Uploader" do |upload| %>
         <%= link_to_user upload.uploader %>
diff --git a/app/views/uploads/show.html.erb b/app/views/uploads/show.html.erb
index 55057e47b..e5392dbc0 100644
--- a/app/views/uploads/show.html.erb
+++ b/app/views/uploads/show.html.erb
@@ -5,7 +5,9 @@
     <ul>
       <li>Date: <%= @upload.created_at %></li>
       <li>Source: <%= @upload.source %></li>
-      <li>Tags: <%= @upload.tag_string %></li>
+      <% if policy(@upload).can_view_tags? %>
+        <li>Tags: <%= @upload.tag_string %></li>
+      <% end %>
       <% if @upload.md5.present? %>
         <li>MD5: <%= @upload.md5 %>
       <% end %>
diff --git a/test/unit/upload_service_test.rb b/test/unit/upload_service_test.rb
index d44ecdf44..51a7a30b5 100644
--- a/test/unit/upload_service_test.rb
+++ b/test/unit/upload_service_test.rb
@@ -947,8 +947,9 @@ class UploadServiceTest < ActiveSupport::TestCase
 
     should "delete stale upload records" do
       @upload = as(@user) { UploadService.new(file: upload_file("test/files/test.jpg")).start! }
+      @upload.update!(created_at: 1.month.ago)
 
-      assert_difference("Upload.count", -1) { Upload.prune!(0.seconds.ago) }
+      assert_difference("Upload.count", -1) { Upload.prune! }
     end
 
     should "delete unused files after deleting the upload" do