jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
3f10eeb95423aa2a2f8e1cd61cf9b058cdc8c2fa
danbooru/app/policies/moderation_report_policy.rb
evazion b695c4ccb1 modreports: fix private user information leak in new modreport action. 
Fix this:

    https://danbooru.donmai.us/moderation_reports/new.json?moderation_report[model_id]=52664&moderation_report[model_type]=User

raising an `undefined method `reportable?' for #<UserPolicy ...>`
exception, which contained the full user object in the error message,
which leaked private user information.
2022-02-06 14:39:08 -06:00

32 lines
497 B
Ruby
Raw Blame History

# frozen_string_literal: true
class ModerationReportPolicy < ApplicationPolicy
def index?
!user.is_anonymous?
end
def show?
!user.is_anonymous?
end
def create?
unbanned? && policy(record.model).try(:reportable?)
end
def update?
user.is_moderator?
end
def can_see_moderation_reports?
user.is_moderator?
end
def permitted_attributes_for_create
[:model_type, :model_id, :reason]
end
def permitted_attributes_for_update
[:status]
end
end
Reference in New Issue View Git Blame Copy Permalink