mirror of
https://github.com/discourse/discourse.git
synced 2024-11-25 18:13:38 +08:00
SECURITY: reduce moderator rights
You can now hide particular categories from certain moderators
This commit is contained in:
parent
e133c82d4b
commit
93434be16d
|
@ -4,7 +4,7 @@ class Admin::FlagsController < Admin::AdminController
|
|||
def index
|
||||
# we may get out of sync, fix it here
|
||||
PostAction.update_flagged_posts_count
|
||||
posts, users = FlagQuery.flagged_posts_report(params[:filter], params[:offset].to_i, 10)
|
||||
posts, users = FlagQuery.flagged_posts_report(current_user, params[:filter], params[:offset].to_i, 10)
|
||||
|
||||
if posts.blank?
|
||||
render json: {users: [], posts: []}
|
||||
|
|
|
@ -482,7 +482,7 @@ class User < ActiveRecord::Base
|
|||
|
||||
|
||||
def secure_category_ids
|
||||
cats = self.staff? ? Category.where(read_restricted: true) : secure_categories.references(:categories)
|
||||
cats = self.admin? ? Category.where(read_restricted: true) : secure_categories.references(:categories)
|
||||
cats.pluck('categories.id').sort
|
||||
end
|
||||
|
||||
|
|
|
@ -275,7 +275,7 @@ SQL
|
|||
builder.where("t.archetype != :archetype", archetype: Archetype::private_message)
|
||||
end
|
||||
|
||||
unless guardian.is_staff?
|
||||
unless guardian.is_admin?
|
||||
allowed = guardian.secure_category_ids
|
||||
if allowed.present?
|
||||
builder.where("( c.read_restricted IS NULL OR
|
||||
|
|
|
@ -1,8 +1,15 @@
|
|||
module FlagQuery
|
||||
def self.flagged_posts_report(filter, offset = 0, per_page = 25)
|
||||
def self.flagged_posts_report(current_user, filter, offset = 0, per_page = 25)
|
||||
|
||||
actions = flagged_post_actions(filter)
|
||||
|
||||
guardian = Guardian.new(current_user)
|
||||
|
||||
if !guardian.is_admin?
|
||||
actions = actions.joins(:post => :topic)
|
||||
.where('category_id in (?)', guardian.allowed_category_ids)
|
||||
end
|
||||
|
||||
post_ids = actions
|
||||
.limit(per_page)
|
||||
.offset(offset)
|
||||
|
@ -60,7 +67,7 @@ module FlagQuery
|
|||
protected
|
||||
|
||||
def self.flagged_post_ids(filter, offset, limit)
|
||||
sql = <<SQL
|
||||
<<SQL
|
||||
|
||||
SELECT p.id from posts p
|
||||
JOIN topics t ON t.id = p.topic_id
|
||||
|
|
|
@ -2,16 +2,16 @@
|
|||
module CategoryGuardian
|
||||
# Creating Method
|
||||
def can_create_category?(parent)
|
||||
is_staff?
|
||||
is_admin?
|
||||
end
|
||||
|
||||
# Editing Method
|
||||
def can_edit_category?(category)
|
||||
is_staff?
|
||||
is_admin?
|
||||
end
|
||||
|
||||
def can_delete_category?(category)
|
||||
is_staff? && category.topic_count == 0 && !category.uncategorized?
|
||||
is_admin? && category.topic_count == 0 && !category.uncategorized?
|
||||
end
|
||||
|
||||
def can_see_category?(category)
|
||||
|
@ -31,4 +31,4 @@ module CategoryGuardian
|
|||
def topic_create_allowed_category_ids
|
||||
@topic_create_allowed_category_ids ||= @user.topic_create_allowed_category_ids
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -7,6 +7,9 @@ describe FlagQuery do
|
|||
|
||||
describe "flagged_posts_report" do
|
||||
it "operates correctly" do
|
||||
admin = Fabricate(:admin)
|
||||
moderator = Fabricate(:moderator)
|
||||
|
||||
post = create_post
|
||||
post2 = create_post
|
||||
|
||||
|
@ -20,7 +23,7 @@ describe FlagQuery do
|
|||
PostAction.act(codinghorror, post2, PostActionType.types[:spam])
|
||||
PostAction.act(user2, post2, PostActionType.types[:spam])
|
||||
|
||||
posts, users = FlagQuery.flagged_posts_report("")
|
||||
posts, users = FlagQuery.flagged_posts_report(admin, "")
|
||||
posts.count.should == 2
|
||||
first = posts.first
|
||||
|
||||
|
@ -32,9 +35,19 @@ describe FlagQuery do
|
|||
second[:post_actions].count.should == 3
|
||||
second[:post_actions].first[:permalink].should == mod_message.related_post.topic.url
|
||||
|
||||
posts, users = FlagQuery.flagged_posts_report("",offset=1)
|
||||
posts, users = FlagQuery.flagged_posts_report(admin, "", 1)
|
||||
posts.count.should == 1
|
||||
|
||||
# chuck post in category a mod can not see and make sure its missing
|
||||
category = Fabricate(:category)
|
||||
category.set_permissions(:admins => :full)
|
||||
category.save
|
||||
post2.topic.category_id = category.id
|
||||
post2.topic.save
|
||||
|
||||
posts, users = FlagQuery.flagged_posts_report(moderator, "")
|
||||
|
||||
posts.count.should == 1
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -291,8 +291,8 @@ describe Guardian do
|
|||
Guardian.new(user).can_create?(Category).should be_false
|
||||
end
|
||||
|
||||
it 'returns true when a moderator' do
|
||||
Guardian.new(moderator).can_create?(Category).should be_true
|
||||
it 'returns false when a moderator' do
|
||||
Guardian.new(moderator).can_create?(Category).should be_false
|
||||
end
|
||||
|
||||
it 'returns true when an admin' do
|
||||
|
@ -626,8 +626,8 @@ describe Guardian do
|
|||
Guardian.new(category.user).can_edit?(category).should be_false
|
||||
end
|
||||
|
||||
it 'returns true as a moderator' do
|
||||
Guardian.new(moderator).can_edit?(category).should be_true
|
||||
it 'returns false as a moderator' do
|
||||
Guardian.new(moderator).can_edit?(category).should be_false
|
||||
end
|
||||
|
||||
it 'returns true as an admin' do
|
||||
|
@ -863,8 +863,8 @@ describe Guardian do
|
|||
Guardian.new(user).can_delete?(category).should be_false
|
||||
end
|
||||
|
||||
it 'returns true when a moderator' do
|
||||
Guardian.new(moderator).can_delete?(category).should be_true
|
||||
it 'returns false when a moderator' do
|
||||
Guardian.new(moderator).can_delete?(category).should be_false
|
||||
end
|
||||
|
||||
it 'returns true when an admin' do
|
||||
|
|
|
@ -9,7 +9,7 @@ describe CategoriesController do
|
|||
|
||||
describe "logged in" do
|
||||
before do
|
||||
@user = log_in(:moderator)
|
||||
@user = log_in(:admin)
|
||||
end
|
||||
|
||||
it "raises an exception when they don't have permission to create it" do
|
||||
|
@ -106,7 +106,7 @@ describe CategoriesController do
|
|||
let(:valid_attrs) { {id: @category.id, name: "hello", color: "ff0", text_color: "fff"} }
|
||||
|
||||
before do
|
||||
@user = log_in(:moderator)
|
||||
@user = log_in(:admin)
|
||||
@category = Fabricate(:category, user: @user)
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user