deblan/journalduhacker
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

check story tag permissions on editor, not creator

Browse source
This commit is contained in:
joshua stein 2014-03-06 13:54:30 -06:00
parent d729d0ad99
commit 285fd82c16
2 changed files with 12 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/stories_controller.rb
View file

@ -34,7 +34,7 @@ class StoriesController < ApplicationController
end end
@story.is_expired = true @story.is_expired = true
@story.editor_user_id = @user.id @story.editor = @user
if params[:reason].present? && @story.user_id != @user.id if params[:reason].present? && @story.user_id != @user.id
@story.moderation_reason = params[:reason] @story.moderation_reason = params[:reason]
@ -151,7 +151,7 @@ class StoriesController < ApplicationController
end end
@story.is_expired = false @story.is_expired = false
@story.editor_user_id = @user.id @story.editor = @user
@story.save(:validate => false) @story.save(:validate => false)
redirect_to @story.comments_url redirect_to @story.comments_url
@ -164,7 +164,7 @@ class StoriesController < ApplicationController
end end
@story.is_expired = false @story.is_expired = false
@story.editor_user_id = @user.id @story.editor = @user
if @story.url_is_editable_by_user?(@user) if @story.url_is_editable_by_user?(@user)
@story.attributes = story_params @story.attributes = story_params

17
app/models/story.rb
View file

@ -18,7 +18,7 @@ class Story < ActiveRecord::Base
attr_accessor :vote, :already_posted_story, :fetched_content, :previewing, attr_accessor :vote, :already_posted_story, :fetched_content, :previewing,
:seen_previous :seen_previous
attr_accessor :editor_user_id, :moderation_reason attr_accessor :editor, :moderation_reason
before_validation :assign_short_id_and_upvote, before_validation :assign_short_id_and_upvote,
:on => :create :on => :create
@ -143,13 +143,15 @@ class Story < ActiveRecord::Base
# this has to happen just before save rather than in tags_a= because we need # this has to happen just before save rather than in tags_a= because we need
# to have a valid user_id # to have a valid user_id
def check_tags def check_tags
u = self.editor || self.user
self.taggings.each do |t| self.taggings.each do |t|
if !t.tag.valid_for?(self.user) if !t.tag.valid_for?(u)
raise "#{self.user.username} does not have permission to use " << raise "#{u.username} does not have permission to use privileged " <<
"privileged tag #{t.tag.tag}" "tag #{t.tag.tag}"
elsif t.tag.inactive? && !t.new_record? elsif t.tag.inactive? && !t.new_record?
# stories can have inactive tags as long as they existed before # stories can have inactive tags as long as they existed before
raise "#{self.user.username} cannot add inactive tag #{t.tag.tag}" raise "#{u.username} cannot add inactive tag #{t.tag.tag}"
end end
end end
@ -256,15 +258,14 @@ class Story < ActiveRecord::Base
end end
def log_moderation def log_moderation
if self.new_record? || !self.editor_user_id || if self.new_record? || !self.editor || self.editor.id == self.user_id
self.editor_user_id == self.user_id
return return
end end
all_changes = self.changes.merge(self.tagging_changes) all_changes = self.changes.merge(self.tagging_changes)
m = Moderation.new m = Moderation.new
m.moderator_user_id = self.editor_user_id m.moderator_user_id = self.editor.try(:id)
m.story_id = self.id m.story_id = self.id
if all_changes["is_expired"] && self.is_expired? if all_changes["is_expired"] && self.is_expired?