mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-23 23:58:31 -05:00
SECURITY: reduce moderator rights
You can now hide particular categories from certain moderators
This commit is contained in:
parent
e133c82d4b
commit
93434be16d
8 changed files with 39 additions and 19 deletions
|
@ -4,7 +4,7 @@ class Admin::FlagsController < Admin::AdminController
|
||||||
def index
|
def index
|
||||||
# we may get out of sync, fix it here
|
# we may get out of sync, fix it here
|
||||||
PostAction.update_flagged_posts_count
|
PostAction.update_flagged_posts_count
|
||||||
posts, users = FlagQuery.flagged_posts_report(params[:filter], params[:offset].to_i, 10)
|
posts, users = FlagQuery.flagged_posts_report(current_user, params[:filter], params[:offset].to_i, 10)
|
||||||
|
|
||||||
if posts.blank?
|
if posts.blank?
|
||||||
render json: {users: [], posts: []}
|
render json: {users: [], posts: []}
|
||||||
|
|
|
@ -482,7 +482,7 @@ class User < ActiveRecord::Base
|
||||||
|
|
||||||
|
|
||||||
def secure_category_ids
|
def secure_category_ids
|
||||||
cats = self.staff? ? Category.where(read_restricted: true) : secure_categories.references(:categories)
|
cats = self.admin? ? Category.where(read_restricted: true) : secure_categories.references(:categories)
|
||||||
cats.pluck('categories.id').sort
|
cats.pluck('categories.id').sort
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -275,7 +275,7 @@ SQL
|
||||||
builder.where("t.archetype != :archetype", archetype: Archetype::private_message)
|
builder.where("t.archetype != :archetype", archetype: Archetype::private_message)
|
||||||
end
|
end
|
||||||
|
|
||||||
unless guardian.is_staff?
|
unless guardian.is_admin?
|
||||||
allowed = guardian.secure_category_ids
|
allowed = guardian.secure_category_ids
|
||||||
if allowed.present?
|
if allowed.present?
|
||||||
builder.where("( c.read_restricted IS NULL OR
|
builder.where("( c.read_restricted IS NULL OR
|
||||||
|
|
|
@ -1,8 +1,15 @@
|
||||||
module FlagQuery
|
module FlagQuery
|
||||||
def self.flagged_posts_report(filter, offset = 0, per_page = 25)
|
def self.flagged_posts_report(current_user, filter, offset = 0, per_page = 25)
|
||||||
|
|
||||||
actions = flagged_post_actions(filter)
|
actions = flagged_post_actions(filter)
|
||||||
|
|
||||||
|
guardian = Guardian.new(current_user)
|
||||||
|
|
||||||
|
if !guardian.is_admin?
|
||||||
|
actions = actions.joins(:post => :topic)
|
||||||
|
.where('category_id in (?)', guardian.allowed_category_ids)
|
||||||
|
end
|
||||||
|
|
||||||
post_ids = actions
|
post_ids = actions
|
||||||
.limit(per_page)
|
.limit(per_page)
|
||||||
.offset(offset)
|
.offset(offset)
|
||||||
|
@ -60,7 +67,7 @@ module FlagQuery
|
||||||
protected
|
protected
|
||||||
|
|
||||||
def self.flagged_post_ids(filter, offset, limit)
|
def self.flagged_post_ids(filter, offset, limit)
|
||||||
sql = <<SQL
|
<<SQL
|
||||||
|
|
||||||
SELECT p.id from posts p
|
SELECT p.id from posts p
|
||||||
JOIN topics t ON t.id = p.topic_id
|
JOIN topics t ON t.id = p.topic_id
|
||||||
|
|
|
@ -2,16 +2,16 @@
|
||||||
module CategoryGuardian
|
module CategoryGuardian
|
||||||
# Creating Method
|
# Creating Method
|
||||||
def can_create_category?(parent)
|
def can_create_category?(parent)
|
||||||
is_staff?
|
is_admin?
|
||||||
end
|
end
|
||||||
|
|
||||||
# Editing Method
|
# Editing Method
|
||||||
def can_edit_category?(category)
|
def can_edit_category?(category)
|
||||||
is_staff?
|
is_admin?
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_delete_category?(category)
|
def can_delete_category?(category)
|
||||||
is_staff? && category.topic_count == 0 && !category.uncategorized?
|
is_admin? && category.topic_count == 0 && !category.uncategorized?
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_see_category?(category)
|
def can_see_category?(category)
|
||||||
|
|
|
@ -7,6 +7,9 @@ describe FlagQuery do
|
||||||
|
|
||||||
describe "flagged_posts_report" do
|
describe "flagged_posts_report" do
|
||||||
it "operates correctly" do
|
it "operates correctly" do
|
||||||
|
admin = Fabricate(:admin)
|
||||||
|
moderator = Fabricate(:moderator)
|
||||||
|
|
||||||
post = create_post
|
post = create_post
|
||||||
post2 = create_post
|
post2 = create_post
|
||||||
|
|
||||||
|
@ -20,7 +23,7 @@ describe FlagQuery do
|
||||||
PostAction.act(codinghorror, post2, PostActionType.types[:spam])
|
PostAction.act(codinghorror, post2, PostActionType.types[:spam])
|
||||||
PostAction.act(user2, post2, PostActionType.types[:spam])
|
PostAction.act(user2, post2, PostActionType.types[:spam])
|
||||||
|
|
||||||
posts, users = FlagQuery.flagged_posts_report("")
|
posts, users = FlagQuery.flagged_posts_report(admin, "")
|
||||||
posts.count.should == 2
|
posts.count.should == 2
|
||||||
first = posts.first
|
first = posts.first
|
||||||
|
|
||||||
|
@ -32,9 +35,19 @@ describe FlagQuery do
|
||||||
second[:post_actions].count.should == 3
|
second[:post_actions].count.should == 3
|
||||||
second[:post_actions].first[:permalink].should == mod_message.related_post.topic.url
|
second[:post_actions].first[:permalink].should == mod_message.related_post.topic.url
|
||||||
|
|
||||||
posts, users = FlagQuery.flagged_posts_report("",offset=1)
|
posts, users = FlagQuery.flagged_posts_report(admin, "", 1)
|
||||||
posts.count.should == 1
|
posts.count.should == 1
|
||||||
|
|
||||||
|
# chuck post in category a mod can not see and make sure its missing
|
||||||
|
category = Fabricate(:category)
|
||||||
|
category.set_permissions(:admins => :full)
|
||||||
|
category.save
|
||||||
|
post2.topic.category_id = category.id
|
||||||
|
post2.topic.save
|
||||||
|
|
||||||
|
posts, users = FlagQuery.flagged_posts_report(moderator, "")
|
||||||
|
|
||||||
|
posts.count.should == 1
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -291,8 +291,8 @@ describe Guardian do
|
||||||
Guardian.new(user).can_create?(Category).should be_false
|
Guardian.new(user).can_create?(Category).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns true when a moderator' do
|
it 'returns false when a moderator' do
|
||||||
Guardian.new(moderator).can_create?(Category).should be_true
|
Guardian.new(moderator).can_create?(Category).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns true when an admin' do
|
it 'returns true when an admin' do
|
||||||
|
@ -626,8 +626,8 @@ describe Guardian do
|
||||||
Guardian.new(category.user).can_edit?(category).should be_false
|
Guardian.new(category.user).can_edit?(category).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns true as a moderator' do
|
it 'returns false as a moderator' do
|
||||||
Guardian.new(moderator).can_edit?(category).should be_true
|
Guardian.new(moderator).can_edit?(category).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns true as an admin' do
|
it 'returns true as an admin' do
|
||||||
|
@ -863,8 +863,8 @@ describe Guardian do
|
||||||
Guardian.new(user).can_delete?(category).should be_false
|
Guardian.new(user).can_delete?(category).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns true when a moderator' do
|
it 'returns false when a moderator' do
|
||||||
Guardian.new(moderator).can_delete?(category).should be_true
|
Guardian.new(moderator).can_delete?(category).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns true when an admin' do
|
it 'returns true when an admin' do
|
||||||
|
|
|
@ -9,7 +9,7 @@ describe CategoriesController do
|
||||||
|
|
||||||
describe "logged in" do
|
describe "logged in" do
|
||||||
before do
|
before do
|
||||||
@user = log_in(:moderator)
|
@user = log_in(:admin)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "raises an exception when they don't have permission to create it" do
|
it "raises an exception when they don't have permission to create it" do
|
||||||
|
@ -106,7 +106,7 @@ describe CategoriesController do
|
||||||
let(:valid_attrs) { {id: @category.id, name: "hello", color: "ff0", text_color: "fff"} }
|
let(:valid_attrs) { {id: @category.id, name: "hello", color: "ff0", text_color: "fff"} }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
@user = log_in(:moderator)
|
@user = log_in(:admin)
|
||||||
@category = Fabricate(:category, user: @user)
|
@category = Fabricate(:category, user: @user)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue