jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
adba70a0de3af16c8b9d8894daf76c8ebf6d2a09
danbooru/app/policies/application_policy.rb
evazion adba70a0de api: make IP addresses in the API. 
Make the following fields visible in API responses:

* ip_bans.ip_addr
* ip_geolocations.ip_addr
* ip_geolocations.network
* users.last_ip_addr (mod only)
* user_sessions.ip_addr
* api_keys.last_ip_address
* api_keys.permitted_ip_addresses

Before IP addresses were globally hidden in API responses because IPs were
present in a lot of tables and we didn't want to accidentally leak them.
Now that we've gotten rid of IPs from most tables, it's safe to unhide them.
2022-09-24 03:48:45 -05:00

101 lines
2.1 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
class ApplicationPolicy
attr_reader :user, :record
def initialize(user, record)
@user = user
@record = record
end
def index?
true
end
def show?
index?
end
def search?
index?
end
def new?
create?
end
def create?
unbanned?
end
def edit?
update?
end
def update?
unbanned?
end
def destroy?
update?
end
def unbanned?
user.is_member? && !user.is_banned? && !user.is_restricted?
end
def policy(object)
Pundit.policy!(user, object)
end
def permitted_attributes
[]
end
def permitted_attributes_for_create
permitted_attributes
end
def permitted_attributes_for_update
permitted_attributes
end
def permitted_attributes_for_new
permitted_attributes_for_create
end
def permitted_attributes_for_edit
permitted_attributes_for_update
end
# When a user performs a search, this method is used to filter out results
# that are hidden from the user based on what they're searching for. For
# example, if a user searches for post flags by flagger name, they can see
# their own flags, and if they're a moderator they can see flags on other
# users' uploads, but they can't see flags on their own uploads.
#
# @param relation [ActiveRecord::Relation] The current search.
# @param attribute [Symbol] The name of the attribute being searched by the user.
#
# @see ApplicationRecord#search
# @see app/logical/concerns/searchable.rb
def visible_for_search(relation, attribute = nil)
relation
end
# The list of attributes that are permitted to be returned by the API.
def api_attributes
record.class.column_names.map(&:to_sym)
end
# The list of attributes that are permitted to be used as data-* attributes
# in tables and in the <body> tag on show pages.
def html_data_attributes
data_attributes = record.class.columns.select do |column|
column.type.in?(%i[integer boolean datetime float uuid interval]) && !column.array?
end.map(&:name).map(&:to_sym)
api_attributes & data_attributes
end
end
Reference in New Issue View Git Blame Copy Permalink