jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
a442658f8af02d8cae70b66ebbaeecbff5594e4b
danbooru/app/policies/comment_policy.rb
evazion a442658f8a Fix #5237: Deleted comments can be viewed by other users 
* Fix it so non-moderators can't search deleted comments using the
  `updater`, `body`, `score`, `do_not_bump_post`, or `is_sticky` fields.
  Searching for these fields will exclude deleted comments.

* Fix it so non-moderators can search for their own deleted comments using the
  `creator` field, but not for deleted comments belonging to other users.

* Fix it so that if a regular user searches `commenter:<username>`, they
  can only see posts with undeleted comments by that user. If a moderator or
  the commenter themselves searches `commenter:<username>`, they can see all
  posts the user has commented on, including posts with deleted comments.

* Fix it so the comment count on user profiles only counts visible
  comments. Regular users can only see the number of undeleted comments
  a user has, while moderators and the commenter themselves can see the
  total number of comments.

Known issue:

* It's still possible to order deleted comments by score, which can let
  you infer the score of deleted comments.
2022-09-22 19:17:33 -05:00

59 lines
1.4 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
class CommentPolicy < ApplicationPolicy
def create?
unbanned?
end
def update?
unbanned? && (user.is_moderator? || (record.updater_id == user.id && !record.is_deleted?))
end
def reportable?
unbanned? && record.creator_id != user.id && !record.creator.is_moderator? && !record.is_deleted? && record.created_at.after?(1.year.ago)
end
def can_sticky_comment?
user.is_moderator?
end
def can_see_deleted?
user.is_moderator?
end
def can_see_creator?
!record.is_deleted? || can_see_deleted?
end
def reply?
!record.is_deleted?
end
def permitted_attributes_for_create
[:body, :post_id, :do_not_bump_post, (:is_sticky if can_sticky_comment?)].compact
end
def permitted_attributes_for_update
[:body, :is_deleted, (:is_sticky if can_sticky_comment?)].compact
end
def api_attributes
attributes = super
attributes -= [:creator_id, :updater_id, :body] if record.is_deleted? && !can_see_deleted?
attributes
end
def visible_for_search(comments, attribute)
case attribute
in :creator | :creator_id if !can_see_deleted?
comments.where(creator: user, is_deleted: true).or(comments.undeleted)
in :updater | :updater_id | :body | :score | :do_not_bump_post | :is_sticky if !can_see_deleted?
comments.undeleted
else
comments
end
end
alias_method :undelete?, :update?
end
Reference in New Issue View Git Blame Copy Permalink