]> git.openstreetmap.org Git - rails.git/blobdiff - app/controllers/diary_entries_controller.rb
Correct policing of access to private user details
[rails.git] / app / controllers / diary_entries_controller.rb
index 464e9e971dc702829fe053dbe020f45394e95b53..12f31bad255c01bf834214fd3b4e656084c0215d 100644 (file)
@@ -74,13 +74,14 @@ class DiaryEntriesController < ApplicationController
 
   def comment
     @entry = DiaryEntry.find(params[:id])
+    @comments = @entry.visible_comments
     @diary_comment = @entry.comments.build(comment_params)
     @diary_comment.user = current_user
     if @diary_comment.save
 
       # Notify current subscribers of the new comment
       @entry.subscribers.visible.each do |user|
-        Notifier.diary_comment_notification(@diary_comment, user).deliver_later if current_user != user
+        UserMailer.diary_comment_notification(@diary_comment, user).deliver_later if current_user != user
       end
 
       # Add the commenter to the subscribers if necessary
@@ -128,7 +129,7 @@ class DiaryEntriesController < ApplicationController
     elsif params[:friends]
       if current_user
         @title = t "diary_entries.index.title_friends"
-        @entries = DiaryEntry.where(:user_id => current_user.friend_users)
+        @entries = DiaryEntry.where(:user_id => current_user.friends)
       else
         require_user
         return
@@ -157,7 +158,7 @@ class DiaryEntriesController < ApplicationController
     @page = (params[:page] || 1).to_i
     @page_size = 20
 
-    @entries = @entries.visible unless current_user&.administrator?
+    @entries = @entries.visible unless can? :unhide, DiaryEntry
     @entries = @entries.order("created_at DESC")
     @entries = @entries.offset((@page - 1) * @page_size)
     @entries = @entries.limit(@page_size)
@@ -202,6 +203,7 @@ class DiaryEntriesController < ApplicationController
     @entry = @user.diary_entries.visible.where(:id => params[:id]).first
     if @entry
       @title = t "diary_entries.show.title", :user => params[:display_name], :title => @entry.title
+      @comments = can?(:unhidecomment, DiaryEntry) ? @entry.comments : @entry.visible_comments
     else
       @title = t "diary_entries.no_such_entry.title", :id => params[:id]
       render :action => "no_such_entry", :status => :not_found
@@ -233,11 +235,12 @@ class DiaryEntriesController < ApplicationController
   end
 
   def comments
+    conditions = { :user_id => @user }
+
+    conditions[:visible] = true unless can? :unhidecomment, DiaryEntry
+
     @comment_pages, @comments = paginate(:diary_comments,
-                                         :conditions => {
-                                           :user_id => @user,
-                                           :visible => true
-                                         },
+                                         :conditions => conditions,
                                          :order => "created_at DESC",
                                          :per_page => 20)
     @page = (params[:page] || 1).to_i