SECURITY: reduce moderator rights

You can now hide particular categories from certain moderators
This commit is contained in:
Sam 2014-02-07 14:11:52 +11:00
parent e133c82d4b
commit 93434be16d
8 changed files with 39 additions and 19 deletions

View file

@ -4,7 +4,7 @@ class Admin::FlagsController < Admin::AdminController
def index def index
# we may get out of sync, fix it here # we may get out of sync, fix it here
PostAction.update_flagged_posts_count PostAction.update_flagged_posts_count
posts, users = FlagQuery.flagged_posts_report(params[:filter], params[:offset].to_i, 10) posts, users = FlagQuery.flagged_posts_report(current_user, params[:filter], params[:offset].to_i, 10)
if posts.blank? if posts.blank?
render json: {users: [], posts: []} render json: {users: [], posts: []}

View file

@ -482,7 +482,7 @@ class User < ActiveRecord::Base
def secure_category_ids def secure_category_ids
cats = self.staff? ? Category.where(read_restricted: true) : secure_categories.references(:categories) cats = self.admin? ? Category.where(read_restricted: true) : secure_categories.references(:categories)
cats.pluck('categories.id').sort cats.pluck('categories.id').sort
end end

View file

@ -275,7 +275,7 @@ SQL
builder.where("t.archetype != :archetype", archetype: Archetype::private_message) builder.where("t.archetype != :archetype", archetype: Archetype::private_message)
end end
unless guardian.is_staff? unless guardian.is_admin?
allowed = guardian.secure_category_ids allowed = guardian.secure_category_ids
if allowed.present? if allowed.present?
builder.where("( c.read_restricted IS NULL OR builder.where("( c.read_restricted IS NULL OR

View file

@ -1,8 +1,15 @@
module FlagQuery module FlagQuery
def self.flagged_posts_report(filter, offset = 0, per_page = 25) def self.flagged_posts_report(current_user, filter, offset = 0, per_page = 25)
actions = flagged_post_actions(filter) actions = flagged_post_actions(filter)
guardian = Guardian.new(current_user)
if !guardian.is_admin?
actions = actions.joins(:post => :topic)
.where('category_id in (?)', guardian.allowed_category_ids)
end
post_ids = actions post_ids = actions
.limit(per_page) .limit(per_page)
.offset(offset) .offset(offset)
@ -60,7 +67,7 @@ module FlagQuery
protected protected
def self.flagged_post_ids(filter, offset, limit) def self.flagged_post_ids(filter, offset, limit)
sql = <<SQL <<SQL
SELECT p.id from posts p SELECT p.id from posts p
JOIN topics t ON t.id = p.topic_id JOIN topics t ON t.id = p.topic_id

View file

@ -2,16 +2,16 @@
module CategoryGuardian module CategoryGuardian
# Creating Method # Creating Method
def can_create_category?(parent) def can_create_category?(parent)
is_staff? is_admin?
end end
# Editing Method # Editing Method
def can_edit_category?(category) def can_edit_category?(category)
is_staff? is_admin?
end end
def can_delete_category?(category) def can_delete_category?(category)
is_staff? && category.topic_count == 0 && !category.uncategorized? is_admin? && category.topic_count == 0 && !category.uncategorized?
end end
def can_see_category?(category) def can_see_category?(category)

View file

@ -7,6 +7,9 @@ describe FlagQuery do
describe "flagged_posts_report" do describe "flagged_posts_report" do
it "operates correctly" do it "operates correctly" do
admin = Fabricate(:admin)
moderator = Fabricate(:moderator)
post = create_post post = create_post
post2 = create_post post2 = create_post
@ -20,7 +23,7 @@ describe FlagQuery do
PostAction.act(codinghorror, post2, PostActionType.types[:spam]) PostAction.act(codinghorror, post2, PostActionType.types[:spam])
PostAction.act(user2, post2, PostActionType.types[:spam]) PostAction.act(user2, post2, PostActionType.types[:spam])
posts, users = FlagQuery.flagged_posts_report("") posts, users = FlagQuery.flagged_posts_report(admin, "")
posts.count.should == 2 posts.count.should == 2
first = posts.first first = posts.first
@ -32,9 +35,19 @@ describe FlagQuery do
second[:post_actions].count.should == 3 second[:post_actions].count.should == 3
second[:post_actions].first[:permalink].should == mod_message.related_post.topic.url second[:post_actions].first[:permalink].should == mod_message.related_post.topic.url
posts, users = FlagQuery.flagged_posts_report("",offset=1) posts, users = FlagQuery.flagged_posts_report(admin, "", 1)
posts.count.should == 1 posts.count.should == 1
# chuck post in category a mod can not see and make sure its missing
category = Fabricate(:category)
category.set_permissions(:admins => :full)
category.save
post2.topic.category_id = category.id
post2.topic.save
posts, users = FlagQuery.flagged_posts_report(moderator, "")
posts.count.should == 1
end end
end end
end end

View file

@ -291,8 +291,8 @@ describe Guardian do
Guardian.new(user).can_create?(Category).should be_false Guardian.new(user).can_create?(Category).should be_false
end end
it 'returns true when a moderator' do it 'returns false when a moderator' do
Guardian.new(moderator).can_create?(Category).should be_true Guardian.new(moderator).can_create?(Category).should be_false
end end
it 'returns true when an admin' do it 'returns true when an admin' do
@ -626,8 +626,8 @@ describe Guardian do
Guardian.new(category.user).can_edit?(category).should be_false Guardian.new(category.user).can_edit?(category).should be_false
end end
it 'returns true as a moderator' do it 'returns false as a moderator' do
Guardian.new(moderator).can_edit?(category).should be_true Guardian.new(moderator).can_edit?(category).should be_false
end end
it 'returns true as an admin' do it 'returns true as an admin' do
@ -863,8 +863,8 @@ describe Guardian do
Guardian.new(user).can_delete?(category).should be_false Guardian.new(user).can_delete?(category).should be_false
end end
it 'returns true when a moderator' do it 'returns false when a moderator' do
Guardian.new(moderator).can_delete?(category).should be_true Guardian.new(moderator).can_delete?(category).should be_false
end end
it 'returns true when an admin' do it 'returns true when an admin' do

View file

@ -9,7 +9,7 @@ describe CategoriesController do
describe "logged in" do describe "logged in" do
before do before do
@user = log_in(:moderator) @user = log_in(:admin)
end end
it "raises an exception when they don't have permission to create it" do it "raises an exception when they don't have permission to create it" do
@ -106,7 +106,7 @@ describe CategoriesController do
let(:valid_attrs) { {id: @category.id, name: "hello", color: "ff0", text_color: "fff"} } let(:valid_attrs) { {id: @category.id, name: "hello", color: "ff0", text_color: "fff"} }
before do before do
@user = log_in(:moderator) @user = log_in(:admin)
@category = Fabricate(:category, user: @user) @category = Fabricate(:category, user: @user)
end end