jobs: hide job arguments and errors from non-admins.

These can sometimes contain sensitive information, such as IP addresses
or what files a user is trying to upload.

app/policies/background_job_policy.rb

@@ -9,8 +9,18 @@ class BackgroundJobPolicy < ApplicationPolicy
     user.is_admin?
   end
 
+  def can_see_params?
+    user.is_admin?
+  end
+
   alias_method :cancel?, :update?
   alias_method :destroy?, :update?
   alias_method :retry?, :update?
   alias_method :run?, :update?
+
+  def api_attributes
+    attributes = super
+    attributes -= [:serialized_params] unless can_see_params?
+    attributes
+  end
 end

app/views/jobs/index.html.erb

@@ -14,11 +14,13 @@
       <% end %>
 
       <% t.column "Details", td: { class: "col-expand" } do |job| %>
-        <%= job.serialized_params["arguments"] %>
+        <% if policy(job).can_see_params? %>
+          <%= job.serialized_params["arguments"] %>
+        <% end %>
       <% end %>
 
       <% t.column "Error", td: { class: "col-expand" } do |job| %>
-        <% if job.error.present? %>
+        <% if policy(job).can_see_params? && job.error.present? %>
           <%= job.error %>
         <% end %>
       <% end %>