From f38910f0a22a44cba31e6e1f87c205fdda8c4721 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Tue, 4 Jan 2022 17:20:43 -0600
Subject: [PATCH] jobs: hide job arguments and errors from non-admins.

These can sometimes contain sensitive information, such as IP addresses
or what files a user is trying to upload.
---
 app/policies/background_job_policy.rb | 10 ++++++++++
 app/views/jobs/index.html.erb         |  6 ++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/app/policies/background_job_policy.rb b/app/policies/background_job_policy.rb
index 983ebcb1d..aaa61440d 100644
--- a/app/policies/background_job_policy.rb
+++ b/app/policies/background_job_policy.rb
@@ -9,8 +9,18 @@ class BackgroundJobPolicy < ApplicationPolicy
     user.is_admin?
   end
 
+  def can_see_params?
+    user.is_admin?
+  end
+
   alias_method :cancel?, :update?
   alias_method :destroy?, :update?
   alias_method :retry?, :update?
   alias_method :run?, :update?
+
+  def api_attributes
+    attributes = super
+    attributes -= [:serialized_params] unless can_see_params?
+    attributes
+  end
 end
diff --git a/app/views/jobs/index.html.erb b/app/views/jobs/index.html.erb
index 060e42351..ef45b0942 100644
--- a/app/views/jobs/index.html.erb
+++ b/app/views/jobs/index.html.erb
@@ -14,11 +14,13 @@
       <% end %>
 
       <% t.column "Details", td: { class: "col-expand" } do |job| %>
-        <%= job.serialized_params["arguments"] %>
+        <% if policy(job).can_see_params? %>
+          <%= job.serialized_params["arguments"] %>
+        <% end %>
       <% end %>
 
       <% t.column "Error", td: { class: "col-expand" } do |job| %>
-        <% if job.error.present? %>
+        <% if policy(job).can_see_params? && job.error.present? %>
           <%= job.error %>
         <% end %>
       <% end %>