jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #3433 from BrokenEagle/fix-fav-privacy

Browse Source 
Fix incorrect showing of favorites and favorite groups with privacy settings enabled
This commit is contained in:
Albert Yi
2017-12-18 14:58:54 -08:00
committed by GitHub
parent fb6d692c37 3b1fdc8cde
commit f5cb49d9bf
4 changed files with 44 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
app/controllers/favorite_groups_controller.rb
View File

@@ -13,6 +13,7 @@ class FavoriteGroupsController < ApplicationController
def show def show
@favorite_group = FavoriteGroup.find(params[:id]) @favorite_group = FavoriteGroup.find(params[:id])
check_read_privilege(@favorite_group)
@post_set = PostSets::FavoriteGroup.new(@favorite_group, params[:page]) @post_set = PostSets::FavoriteGroup.new(@favorite_group, params[:page])
respond_with(@favorite_group) respond_with(@favorite_group)
end end
@@ -37,13 +38,13 @@ class FavoriteGroupsController < ApplicationController
def edit def edit
@favorite_group = FavoriteGroup.find(params[:id]) @favorite_group = FavoriteGroup.find(params[:id])
check_privilege(@favorite_group) check_write_privilege(@favorite_group)
respond_with(@favorite_group) respond_with(@favorite_group)
end end
def update def update
@favorite_group = FavoriteGroup.find(params[:id]) @favorite_group = FavoriteGroup.find(params[:id])
check_privilege(@favorite_group) check_write_privilege(@favorite_group)
@favorite_group.update_attributes(params[:favorite_group]) @favorite_group.update_attributes(params[:favorite_group])
unless @favorite_group.errors.any? unless @favorite_group.errors.any?
flash[:notice] = "Favorite group updated" flash[:notice] = "Favorite group updated"
@@ -53,7 +54,7 @@ class FavoriteGroupsController < ApplicationController
def destroy def destroy
@favorite_group = FavoriteGroup.find(params[:id]) @favorite_group = FavoriteGroup.find(params[:id])
check_privilege(@favorite_group) check_write_privilege(@favorite_group)
@favorite_group.destroy @favorite_group.destroy
flash[:notice] = "Favorite group deleted" flash[:notice] = "Favorite group deleted"
redirect_to favorite_groups_path redirect_to favorite_groups_path
@@ -61,13 +62,17 @@ class FavoriteGroupsController < ApplicationController
def add_post def add_post
@favorite_group = FavoriteGroup.find(params[:id]) @favorite_group = FavoriteGroup.find(params[:id])
check_privilege(@favorite_group) check_write_privilege(@favorite_group)
@post = Post.find(params[:post_id]) @post = Post.find(params[:post_id])
@favorite_group.add!(@post.id) @favorite_group.add!(@post.id)
end end
private private
def check_privilege(favgroup) def check_write_privilege(favgroup)
raise User::PrivilegeError unless favgroup.editable_by?(CurrentUser.user) raise User::PrivilegeError unless favgroup.editable_by?(CurrentUser.user)
end end
def check_read_privilege(favgroup)
raise User::PrivilegeError unless favgroup.viewable_by?(CurrentUser.user)
end
end end

6
app/logical/post_query_builder.rb
View File

@@ -400,12 +400,6 @@ class PostQueryBuilder
if q[:ordfav].present? if q[:ordfav].present?
user_id = q[:ordfav].to_i user_id = q[:ordfav].to_i
user = User.find(user_id)
if user.hide_favorites?
raise User::PrivilegeError.new
end
relation = relation.joins("INNER JOIN favorites ON favorites.post_id = posts.id") relation = relation.joins("INNER JOIN favorites ON favorites.post_id = posts.id")
relation = relation.where("favorites.user_id % 100 = ? and favorites.user_id = ?", user_id % 100, user_id).order("favorites.id DESC") relation = relation.where("favorites.user_id % 100 = ? and favorites.user_id = ?", user_id % 100, user_id).order("favorites.id DESC")
end end

4
app/models/favorite_group.rb
View File

@@ -241,4 +241,8 @@ class FavoriteGroup < ApplicationRecord
def editable_by?(user) def editable_by?(user)
creator_id == user.id creator_id == user.id
end end
def viewable_by?(user)
creator_id == user.id || !creator.hide_favorites?
end
end end

30
app/models/tag.rb
View File

@@ -609,22 +609,52 @@ class Tag < ApplicationRecord
when "-favgroup" when "-favgroup"
favgroup_id = FavoriteGroup.name_to_id(g2) favgroup_id = FavoriteGroup.name_to_id(g2)
favgroup = FavoriteGroup.find(favgroup_id)
if !favgroup.viewable_by?(CurrentUser.user)
raise User::PrivilegeError.new
end
q[:favgroups_neg] ||= [] q[:favgroups_neg] ||= []
q[:favgroups_neg] << favgroup_id q[:favgroups_neg] << favgroup_id
when "favgroup" when "favgroup"
favgroup_id = FavoriteGroup.name_to_id(g2) favgroup_id = FavoriteGroup.name_to_id(g2)
favgroup = FavoriteGroup.find(favgroup_id)
if !favgroup.viewable_by?(CurrentUser.user)
raise User::PrivilegeError.new
end
q[:favgroups] ||= [] q[:favgroups] ||= []
q[:favgroups] << favgroup_id q[:favgroups] << favgroup_id
when "-fav" when "-fav"
favuser = User.find_by_name(g2)
if favuser.hide_favorites?
raise User::PrivilegeError.new
end
q[:tags][:exclude] << "fav:#{User.name_to_id(g2)}" q[:tags][:exclude] << "fav:#{User.name_to_id(g2)}"
when "fav" when "fav"
favuser = User.find_by_name(g2)
if favuser.hide_favorites?
raise User::PrivilegeError.new
end
q[:tags][:related] << "fav:#{User.name_to_id(g2)}" q[:tags][:related] << "fav:#{User.name_to_id(g2)}"
when "ordfav" when "ordfav"
user_id = User.name_to_id(g2) user_id = User.name_to_id(g2)
favuser = User.find(user_id)
if favuser.hide_favorites?
raise User::PrivilegeError.new
end
q[:tags][:related] << "fav:#{user_id}" q[:tags][:related] << "fav:#{user_id}"
q[:ordfav] = user_id q[:ordfav] = user_id