eacb4d4df3
Refactor models so that we define attribute API permissions in policy files instead of directly in models. This is cleaner because a) permissions are better handled by policies and b) which attributes are visible to the API is an API-level concern that models shouldn't have to care about. This fixes an issue with not being able to precompile CSS/JS assets unless the database was up and running. This was a problem when building Docker images because we don't have a database at build time. We needed the database because `api_attributes` was a class-level macro in some places, which meant it ran at boot time, but this triggered a database call because api_attributes used database introspection to get the list of allowed API attributes.
81 lines
2.2 KiB
Ruby
81 lines
2.2 KiB
Ruby
class UserPolicy < ApplicationPolicy
|
|
def create?
|
|
!sockpuppet?
|
|
end
|
|
|
|
def update?
|
|
record.id == user.id || user.is_admin?
|
|
end
|
|
|
|
def promote?
|
|
user.is_moderator?
|
|
end
|
|
|
|
def upgrade?
|
|
user.is_member?
|
|
end
|
|
|
|
def reportable?
|
|
false
|
|
end
|
|
|
|
def fix_counts?
|
|
user.is_member?
|
|
end
|
|
|
|
def can_see_favorites?
|
|
user.is_admin? || record.id == user.id || !record.enable_private_favorites?
|
|
end
|
|
|
|
def sockpuppet?
|
|
User.where(last_ip_addr: request.remote_ip).where("created_at > ?", 1.day.ago).exists?
|
|
end
|
|
|
|
def permitted_attributes_for_create
|
|
[:name, :password, :password_confirmation, { email_address_attributes: [:address] }]
|
|
end
|
|
|
|
def permitted_attributes_for_update
|
|
[
|
|
:comment_threshold, :default_image_size, :favorite_tags,
|
|
:blacklisted_tags, :time_zone, :per_page, :custom_style, :theme,
|
|
:receive_email_notifications, :always_resize_images,
|
|
:enable_post_navigation, :new_post_navigation_layout,
|
|
:enable_private_favorites, :enable_sequential_post_navigation,
|
|
:hide_deleted_posts, :style_usernames, :enable_auto_complete,
|
|
:show_deleted_children, :disable_categorized_saved_searches,
|
|
:disable_tagged_filenames, :disable_cropped_thumbnails,
|
|
:disable_mobile_gestures, :enable_safe_mode, :enable_desktop_mode,
|
|
:disable_post_tooltips,
|
|
(:level if CurrentUser.is_admin?)
|
|
].compact
|
|
end
|
|
|
|
def api_attributes
|
|
attributes = %i[
|
|
id created_at name inviter_id level
|
|
post_upload_count post_update_count note_update_count is_banned
|
|
can_approve_posts can_upload_free level_string
|
|
]
|
|
|
|
if record.id == user.id
|
|
attributes += User::BOOLEAN_ATTRIBUTES
|
|
attributes += %i[
|
|
updated_at last_logged_in_at last_forum_read_at
|
|
comment_threshold default_image_size
|
|
favorite_tags blacklisted_tags time_zone per_page
|
|
custom_style favorite_count api_regen_multiplier
|
|
api_burst_limit remaining_api_limit statement_timeout
|
|
favorite_group_limit favorite_limit tag_query_limit
|
|
is_comment_limited?
|
|
max_saved_searches theme
|
|
]
|
|
end
|
|
|
|
attributes
|
|
end
|
|
|
|
alias_method :profile?, :show?
|
|
alias_method :settings?, :edit?
|
|
end
|