FIX: moderators should not be able to see site setting changes in the staff action logs. Fixes #2027
This commit is contained in:
parent
47357136dc
commit
b40313559b
|
@ -1,7 +1,7 @@
|
||||||
class Admin::StaffActionLogsController < Admin::AdminController
|
class Admin::StaffActionLogsController < Admin::AdminController
|
||||||
|
|
||||||
def index
|
def index
|
||||||
staff_action_logs = UserHistory.with_filters(params.slice(:action_name, :acting_user, :target_user, :subject)).only_staff_actions.limit(200).order('id DESC').includes(:acting_user, :target_user).to_a
|
staff_action_logs = UserHistory.staff_action_records(current_user, params.slice(:action_name, :acting_user, :target_user, :subject)).to_a
|
||||||
render_serialized(staff_action_logs, UserHistorySerializer)
|
render_serialized(staff_action_logs, UserHistorySerializer)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,8 @@ class UserHistory < ActiveRecord::Base
|
||||||
|
|
||||||
scope :only_staff_actions, ->{ where("action IN (?)", UserHistory.staff_action_ids) }
|
scope :only_staff_actions, ->{ where("action IN (?)", UserHistory.staff_action_ids) }
|
||||||
|
|
||||||
|
before_save :set_admin_only
|
||||||
|
|
||||||
def self.actions
|
def self.actions
|
||||||
@actions ||= Enum.new( :delete_user,
|
@actions ||= Enum.new( :delete_user,
|
||||||
:change_trust_level,
|
:change_trust_level,
|
||||||
|
@ -38,6 +40,10 @@ class UserHistory < ActiveRecord::Base
|
||||||
@staff_action_ids ||= staff_actions.map { |a| actions[a] }
|
@staff_action_ids ||= staff_actions.map { |a| actions[a] }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def self.admin_only_action_ids
|
||||||
|
@admin_only_action_ids ||= [actions[:change_site_setting]]
|
||||||
|
end
|
||||||
|
|
||||||
def self.with_filters(filters)
|
def self.with_filters(filters)
|
||||||
query = self
|
query = self
|
||||||
if filters[:action_name] and action_id = UserHistory.actions[filters[:action_name].to_sym]
|
if filters[:action_name] and action_id = UserHistory.actions[filters[:action_name].to_sym]
|
||||||
|
@ -63,6 +69,18 @@ class UserHistory < ActiveRecord::Base
|
||||||
result.exists?
|
result.exists?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def self.staff_action_records(viewer, opts={})
|
||||||
|
query = self.with_filters(opts.slice(:action_name, :acting_user, :target_user, :subject)).only_staff_actions.limit(200).order('id DESC').includes(:acting_user, :target_user)
|
||||||
|
query = query.where(admin_only: false) unless viewer && viewer.admin?
|
||||||
|
query
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
def set_admin_only
|
||||||
|
self.admin_only = UserHistory.admin_only_action_ids.include?(self.action)
|
||||||
|
self
|
||||||
|
end
|
||||||
|
|
||||||
def new_value_is_json?
|
def new_value_is_json?
|
||||||
[UserHistory.actions[:change_site_customization], UserHistory.actions[:delete_site_customization]].include?(action)
|
[UserHistory.actions[:change_site_customization], UserHistory.actions[:delete_site_customization]].include?(action)
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
class AddAdminOnlyToUserHistories < ActiveRecord::Migration
|
||||||
|
def up
|
||||||
|
add_column :user_histories, :admin_only, :boolean, default: false
|
||||||
|
execute "UPDATE user_histories SET admin_only = true WHERE action = #{UserHistory.actions[:change_site_setting]}"
|
||||||
|
end
|
||||||
|
|
||||||
|
def down
|
||||||
|
remove_column :user_histories, :admin_only
|
||||||
|
end
|
||||||
|
end
|
|
@ -1,5 +1,24 @@
|
||||||
require 'spec_helper'
|
require 'spec_helper'
|
||||||
|
|
||||||
describe UserHistory do
|
describe UserHistory do
|
||||||
# Nothing fancy going on in this model. See StaffActionLogger.
|
|
||||||
|
describe '#staff_action_records' do
|
||||||
|
context "with some records" do
|
||||||
|
before do
|
||||||
|
@change_site_setting = UserHistory.create!({action: UserHistory.actions[:change_site_setting], subject: "title", previous_value: "Old", new_value: "New"})
|
||||||
|
@change_trust_level = UserHistory.create!({action: UserHistory.actions[:change_trust_level], target_user_id: Fabricate(:user).id, details: "stuff happened"})
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns all records for admins" do
|
||||||
|
records = described_class.staff_action_records(Fabricate(:admin)).to_a
|
||||||
|
records.size.should == 2
|
||||||
|
end
|
||||||
|
|
||||||
|
it "doesn't return records to moderators that only admins should see" do
|
||||||
|
records = described_class.staff_action_records(Fabricate(:moderator)).to_a
|
||||||
|
records.should == [@change_trust_level]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue