FIX: moderators should not be able to see site setting changes in the staff action logs. Fixes #2027

This commit is contained in:
Neil Lalonde 2014-02-28 16:30:45 -05:00
parent 47357136dc
commit b40313559b
4 changed files with 49 additions and 2 deletions

View File

@ -1,7 +1,7 @@
class Admin::StaffActionLogsController < Admin::AdminController class Admin::StaffActionLogsController < Admin::AdminController
def index def index
staff_action_logs = UserHistory.with_filters(params.slice(:action_name, :acting_user, :target_user, :subject)).only_staff_actions.limit(200).order('id DESC').includes(:acting_user, :target_user).to_a staff_action_logs = UserHistory.staff_action_records(current_user, params.slice(:action_name, :acting_user, :target_user, :subject)).to_a
render_serialized(staff_action_logs, UserHistorySerializer) render_serialized(staff_action_logs, UserHistorySerializer)
end end

View File

@ -9,6 +9,8 @@ class UserHistory < ActiveRecord::Base
scope :only_staff_actions, ->{ where("action IN (?)", UserHistory.staff_action_ids) } scope :only_staff_actions, ->{ where("action IN (?)", UserHistory.staff_action_ids) }
before_save :set_admin_only
def self.actions def self.actions
@actions ||= Enum.new( :delete_user, @actions ||= Enum.new( :delete_user,
:change_trust_level, :change_trust_level,
@ -38,6 +40,10 @@ class UserHistory < ActiveRecord::Base
@staff_action_ids ||= staff_actions.map { |a| actions[a] } @staff_action_ids ||= staff_actions.map { |a| actions[a] }
end end
def self.admin_only_action_ids
@admin_only_action_ids ||= [actions[:change_site_setting]]
end
def self.with_filters(filters) def self.with_filters(filters)
query = self query = self
if filters[:action_name] and action_id = UserHistory.actions[filters[:action_name].to_sym] if filters[:action_name] and action_id = UserHistory.actions[filters[:action_name].to_sym]
@ -63,6 +69,18 @@ class UserHistory < ActiveRecord::Base
result.exists? result.exists?
end end
def self.staff_action_records(viewer, opts={})
query = self.with_filters(opts.slice(:action_name, :acting_user, :target_user, :subject)).only_staff_actions.limit(200).order('id DESC').includes(:acting_user, :target_user)
query = query.where(admin_only: false) unless viewer && viewer.admin?
query
end
def set_admin_only
self.admin_only = UserHistory.admin_only_action_ids.include?(self.action)
self
end
def new_value_is_json? def new_value_is_json?
[UserHistory.actions[:change_site_customization], UserHistory.actions[:delete_site_customization]].include?(action) [UserHistory.actions[:change_site_customization], UserHistory.actions[:delete_site_customization]].include?(action)
end end

View File

@ -0,0 +1,10 @@
class AddAdminOnlyToUserHistories < ActiveRecord::Migration
def up
add_column :user_histories, :admin_only, :boolean, default: false
execute "UPDATE user_histories SET admin_only = true WHERE action = #{UserHistory.actions[:change_site_setting]}"
end
def down
remove_column :user_histories, :admin_only
end
end

View File

@ -1,5 +1,24 @@
require 'spec_helper' require 'spec_helper'
describe UserHistory do describe UserHistory do
# Nothing fancy going on in this model. See StaffActionLogger.
describe '#staff_action_records' do
context "with some records" do
before do
@change_site_setting = UserHistory.create!({action: UserHistory.actions[:change_site_setting], subject: "title", previous_value: "Old", new_value: "New"})
@change_trust_level = UserHistory.create!({action: UserHistory.actions[:change_trust_level], target_user_id: Fabricate(:user).id, details: "stuff happened"})
end
it "returns all records for admins" do
records = described_class.staff_action_records(Fabricate(:admin)).to_a
records.size.should == 2
end
it "doesn't return records to moderators that only admins should see" do
records = described_class.staff_action_records(Fabricate(:moderator)).to_a
records.should == [@change_trust_level]
end
end
end
end end