From ee4c34172f0a0145344525962cc5411a7f260ff5 Mon Sep 17 00:00:00 2001
From: Anton Khorev <tony29@yandex.ru>
Date: Fri, 1 Mar 2024 12:29:06 +0300
Subject: [PATCH] Don't show unredacted element versions to non-moderators

---
 app/controllers/old_nodes_controller.rb       |  7 ++++
 app/controllers/old_relations_controller.rb   |  7 ++++
 app/controllers/old_ways_controller.rb        |  7 ++++
 test/controllers/old_nodes_controller_test.rb | 33 +++++++++++++++++--
 .../old_relations_controller_test.rb          | 33 +++++++++++++++++--
 test/controllers/old_ways_controller_test.rb  | 33 +++++++++++++++++--
 6 files changed, 111 insertions(+), 9 deletions(-)

diff --git a/app/controllers/old_nodes_controller.rb b/app/controllers/old_nodes_controller.rb
index a5b9cf563..9ef2ef881 100644
--- a/app/controllers/old_nodes_controller.rb
+++ b/app/controllers/old_nodes_controller.rb
@@ -8,6 +8,7 @@ class OldNodesController < ApplicationController
 
   authorize_resource
 
+  before_action :require_moderator_for_unredacted_history
   around_action :web_timeout
 
   def show
@@ -16,4 +17,10 @@ class OldNodesController < ApplicationController
   rescue ActiveRecord::RecordNotFound
     render :action => "not_found", :status => :not_found
   end
+
+  private
+
+  def require_moderator_for_unredacted_history
+    deny_access(nil) if params[:show_redactions] && !current_user&.moderator?
+  end
 end
diff --git a/app/controllers/old_relations_controller.rb b/app/controllers/old_relations_controller.rb
index 9dda82021..b9e151a4f 100644
--- a/app/controllers/old_relations_controller.rb
+++ b/app/controllers/old_relations_controller.rb
@@ -8,6 +8,7 @@ class OldRelationsController < ApplicationController
 
   authorize_resource
 
+  before_action :require_moderator_for_unredacted_history
   around_action :web_timeout
 
   def show
@@ -16,4 +17,10 @@ class OldRelationsController < ApplicationController
   rescue ActiveRecord::RecordNotFound
     render :action => "not_found", :status => :not_found
   end
+
+  private
+
+  def require_moderator_for_unredacted_history
+    deny_access(nil) if params[:show_redactions] && !current_user&.moderator?
+  end
 end
diff --git a/app/controllers/old_ways_controller.rb b/app/controllers/old_ways_controller.rb
index d18121e6f..dd3c3279f 100644
--- a/app/controllers/old_ways_controller.rb
+++ b/app/controllers/old_ways_controller.rb
@@ -8,6 +8,7 @@ class OldWaysController < ApplicationController
 
   authorize_resource
 
+  before_action :require_moderator_for_unredacted_history
   around_action :web_timeout
 
   def show
@@ -16,4 +17,10 @@ class OldWaysController < ApplicationController
   rescue ActiveRecord::RecordNotFound
     render :action => "not_found", :status => :not_found
   end
+
+  private
+
+  def require_moderator_for_unredacted_history
+    deny_access(nil) if params[:show_redactions] && !current_user&.moderator?
+  end
 end
diff --git a/test/controllers/old_nodes_controller_test.rb b/test/controllers/old_nodes_controller_test.rb
index 3f2958bd3..880e5e1a7 100644
--- a/test/controllers/old_nodes_controller_test.rb
+++ b/test/controllers/old_nodes_controller_test.rb
@@ -50,9 +50,7 @@ class OldNodesControllerTest < ActionDispatch::IntegrationTest
   end
 
   def test_redacted
-    node = create(:node, :with_history, :deleted, :version => 2)
-    node_v1 = node.old_nodes.find_by(:version => 1)
-    node_v1.redact!(create(:redaction))
+    node = create_redacted_node
     get old_node_path(node, 1)
     assert_response :success
     assert_template "old_nodes/show"
@@ -62,6 +60,26 @@ class OldNodesControllerTest < ActionDispatch::IntegrationTest
     assert_select ".secondary-actions a[href='#{node_version_path node, 1}']", :count => 0
   end
 
+  test "don't show redacted versions to anonymous users" do
+    node = create_redacted_node
+    get old_node_path(node, 1, :params => { :show_redactions => true })
+    assert_response :redirect
+  end
+
+  test "don't show redacted versions to regular users" do
+    session_for(create(:user))
+    node = create_redacted_node
+    get old_node_path(node, 1, :params => { :show_redactions => true })
+    assert_response :redirect
+  end
+
+  test "show redacted versions to moderators" do
+    session_for(create(:moderator_user))
+    node = create_redacted_node
+    get old_node_path(node, 1, :params => { :show_redactions => true })
+    assert_response :success
+  end
+
   def test_not_found
     get old_node_path(0, 0)
     assert_response :not_found
@@ -69,4 +87,13 @@ class OldNodesControllerTest < ActionDispatch::IntegrationTest
     assert_template :layout => "map"
     assert_select "#sidebar_content", /node #0 version 0 could not be found/
   end
+
+  private
+
+  def create_redacted_node
+    create(:node, :with_history, :deleted, :version => 2) do |node|
+      node_v1 = node.old_nodes.find_by(:version => 1)
+      node_v1.redact!(create(:redaction))
+    end
+  end
 end
diff --git a/test/controllers/old_relations_controller_test.rb b/test/controllers/old_relations_controller_test.rb
index 311e5958a..534a1304c 100644
--- a/test/controllers/old_relations_controller_test.rb
+++ b/test/controllers/old_relations_controller_test.rb
@@ -59,9 +59,7 @@ class OldRelationsControllerTest < ActionDispatch::IntegrationTest
   end
 
   def test_redacted
-    relation = create(:relation, :with_history, :deleted, :version => 2)
-    relation_v1 = relation.old_relations.find_by(:version => 1)
-    relation_v1.redact!(create(:redaction))
+    relation = create_redacted_relation
     get old_relation_path(relation, 1)
     assert_response :success
     assert_template "old_relations/show"
@@ -71,6 +69,26 @@ class OldRelationsControllerTest < ActionDispatch::IntegrationTest
     assert_select ".secondary-actions a[href='#{relation_version_path relation, 1}']", :count => 0
   end
 
+  test "don't show redacted versions to anonymous users" do
+    relation = create_redacted_relation
+    get old_relation_path(relation, 1, :params => { :show_redactions => true })
+    assert_response :redirect
+  end
+
+  test "don't show redacted versions to regular users" do
+    session_for(create(:user))
+    relation = create_redacted_relation
+    get old_relation_path(relation, 1, :params => { :show_redactions => true })
+    assert_response :redirect
+  end
+
+  test "show redacted versions to moderators" do
+    session_for(create(:moderator_user))
+    relation = create_redacted_relation
+    get old_relation_path(relation, 1, :params => { :show_redactions => true })
+    assert_response :success
+  end
+
   def test_not_found
     get old_relation_path(0, 0)
     assert_response :not_found
@@ -78,4 +96,13 @@ class OldRelationsControllerTest < ActionDispatch::IntegrationTest
     assert_template :layout => "map"
     assert_select "#sidebar_content", /relation #0 version 0 could not be found/
   end
+
+  private
+
+  def create_redacted_relation
+    create(:relation, :with_history, :deleted, :version => 2) do |relation|
+      relation_v1 = relation.old_relations.find_by(:version => 1)
+      relation_v1.redact!(create(:redaction))
+    end
+  end
 end
diff --git a/test/controllers/old_ways_controller_test.rb b/test/controllers/old_ways_controller_test.rb
index d428605c5..b9632ed77 100644
--- a/test/controllers/old_ways_controller_test.rb
+++ b/test/controllers/old_ways_controller_test.rb
@@ -64,9 +64,7 @@ class OldWaysControllerTest < ActionDispatch::IntegrationTest
   end
 
   def test_redacted
-    way = create(:way, :with_history, :deleted, :version => 2)
-    way_v1 = way.old_ways.find_by(:version => 1)
-    way_v1.redact!(create(:redaction))
+    way = create_redacted_way
     get old_way_path(way, 1)
     assert_response :success
     assert_template "old_ways/show"
@@ -76,6 +74,26 @@ class OldWaysControllerTest < ActionDispatch::IntegrationTest
     assert_select ".secondary-actions a[href='#{way_version_path way, 1}']", :count => 0
   end
 
+  test "don't show redacted versions to anonymous users" do
+    way = create_redacted_way
+    get old_way_path(way, 1, :params => { :show_redactions => true })
+    assert_response :redirect
+  end
+
+  test "don't show redacted versions to regular users" do
+    session_for(create(:user))
+    way = create_redacted_way
+    get old_way_path(way, 1, :params => { :show_redactions => true })
+    assert_response :redirect
+  end
+
+  test "show redacted versions to moderators" do
+    session_for(create(:moderator_user))
+    way = create_redacted_way
+    get old_way_path(way, 1, :params => { :show_redactions => true })
+    assert_response :success
+  end
+
   def test_not_found
     get old_way_path(0, 0)
     assert_response :not_found
@@ -83,4 +101,13 @@ class OldWaysControllerTest < ActionDispatch::IntegrationTest
     assert_template :layout => "map"
     assert_select "#sidebar_content", /way #0 version 0 could not be found/
   end
+
+  private
+
+  def create_redacted_way
+    create(:way, :with_history, :deleted, :version => 2) do |way|
+      way_v1 = way.old_ways.find_by(:version => 1)
+      way_v1.redact!(create(:redaction))
+    end
+  end
 end
-- 
2.39.5