From 93434be16d28ab12b538a0407ae2f1cb1835fa50 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 7 Feb 2014 14:11:52 +1100 Subject: [PATCH] SECURITY: reduce moderator rights You can now hide particular categories from certain moderators --- app/controllers/admin/flags_controller.rb | 2 +- app/models/user.rb | 2 +- app/models/user_action.rb | 2 +- lib/flag_query.rb | 11 +++++++++-- lib/guardian/category_guardian.rb | 8 ++++---- spec/components/flag_query_spec.rb | 17 +++++++++++++++-- spec/components/guardian_spec.rb | 12 ++++++------ spec/controllers/categories_controller_spec.rb | 4 ++-- 8 files changed, 39 insertions(+), 19 deletions(-) diff --git a/app/controllers/admin/flags_controller.rb b/app/controllers/admin/flags_controller.rb index ec99c69d4..99cc7d26e 100644 --- a/app/controllers/admin/flags_controller.rb +++ b/app/controllers/admin/flags_controller.rb @@ -4,7 +4,7 @@ class Admin::FlagsController < Admin::AdminController def index # we may get out of sync, fix it here PostAction.update_flagged_posts_count - posts, users = FlagQuery.flagged_posts_report(params[:filter], params[:offset].to_i, 10) + posts, users = FlagQuery.flagged_posts_report(current_user, params[:filter], params[:offset].to_i, 10) if posts.blank? render json: {users: [], posts: []} diff --git a/app/models/user.rb b/app/models/user.rb index 5d5c6b52a..3d730bfd5 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -482,7 +482,7 @@ class User < ActiveRecord::Base def secure_category_ids - cats = self.staff? ? Category.where(read_restricted: true) : secure_categories.references(:categories) + cats = self.admin? ? Category.where(read_restricted: true) : secure_categories.references(:categories) cats.pluck('categories.id').sort end diff --git a/app/models/user_action.rb b/app/models/user_action.rb index ab281de02..0c037cec3 100644 --- a/app/models/user_action.rb +++ b/app/models/user_action.rb @@ -275,7 +275,7 @@ SQL builder.where("t.archetype != :archetype", archetype: Archetype::private_message) end - unless guardian.is_staff? + unless guardian.is_admin? allowed = guardian.secure_category_ids if allowed.present? builder.where("( c.read_restricted IS NULL OR diff --git a/lib/flag_query.rb b/lib/flag_query.rb index c6c01c90a..2a5488d4d 100644 --- a/lib/flag_query.rb +++ b/lib/flag_query.rb @@ -1,8 +1,15 @@ module FlagQuery - def self.flagged_posts_report(filter, offset = 0, per_page = 25) + def self.flagged_posts_report(current_user, filter, offset = 0, per_page = 25) actions = flagged_post_actions(filter) + guardian = Guardian.new(current_user) + + if !guardian.is_admin? + actions = actions.joins(:post => :topic) + .where('category_id in (?)', guardian.allowed_category_ids) + end + post_ids = actions .limit(per_page) .offset(offset) @@ -60,7 +67,7 @@ module FlagQuery protected def self.flagged_post_ids(filter, offset, limit) - sql = < :full) + category.save + post2.topic.category_id = category.id + post2.topic.save + + posts, users = FlagQuery.flagged_posts_report(moderator, "") + + posts.count.should == 1 end end end diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb index cf2dd80d3..96e6321f9 100644 --- a/spec/components/guardian_spec.rb +++ b/spec/components/guardian_spec.rb @@ -291,8 +291,8 @@ describe Guardian do Guardian.new(user).can_create?(Category).should be_false end - it 'returns true when a moderator' do - Guardian.new(moderator).can_create?(Category).should be_true + it 'returns false when a moderator' do + Guardian.new(moderator).can_create?(Category).should be_false end it 'returns true when an admin' do @@ -626,8 +626,8 @@ describe Guardian do Guardian.new(category.user).can_edit?(category).should be_false end - it 'returns true as a moderator' do - Guardian.new(moderator).can_edit?(category).should be_true + it 'returns false as a moderator' do + Guardian.new(moderator).can_edit?(category).should be_false end it 'returns true as an admin' do @@ -863,8 +863,8 @@ describe Guardian do Guardian.new(user).can_delete?(category).should be_false end - it 'returns true when a moderator' do - Guardian.new(moderator).can_delete?(category).should be_true + it 'returns false when a moderator' do + Guardian.new(moderator).can_delete?(category).should be_false end it 'returns true when an admin' do diff --git a/spec/controllers/categories_controller_spec.rb b/spec/controllers/categories_controller_spec.rb index 0d1baf775..ef1cc9d0a 100644 --- a/spec/controllers/categories_controller_spec.rb +++ b/spec/controllers/categories_controller_spec.rb @@ -9,7 +9,7 @@ describe CategoriesController do describe "logged in" do before do - @user = log_in(:moderator) + @user = log_in(:admin) end it "raises an exception when they don't have permission to create it" do @@ -106,7 +106,7 @@ describe CategoriesController do let(:valid_attrs) { {id: @category.id, name: "hello", color: "ff0", text_color: "fff"} } before do - @user = log_in(:moderator) + @user = log_in(:admin) @category = Fabricate(:category, user: @user) end