SECURITY: reduce moderator rights

You can now hide particular categories from certain moderators

app/controllers/admin/flags_controller.rb

@@ -4,7 +4,7 @@ class Admin::FlagsController < Admin::AdminController
   def index
     # we may get out of sync, fix it here
     PostAction.update_flagged_posts_count
-    posts, users = FlagQuery.flagged_posts_report(params[:filter], params[:offset].to_i, 10)
+    posts, users = FlagQuery.flagged_posts_report(current_user, params[:filter], params[:offset].to_i, 10)
 
     if posts.blank?
       render json: {users: [], posts: []}

app/models/user.rb

@@ -482,7 +482,7 @@ class User < ActiveRecord::Base
 
 
   def secure_category_ids
-    cats = self.staff? ? Category.where(read_restricted: true) : secure_categories.references(:categories)
+    cats = self.admin? ? Category.where(read_restricted: true) : secure_categories.references(:categories)
     cats.pluck('categories.id').sort
   end
 

app/models/user_action.rb

@@ -275,7 +275,7 @@ SQL
       builder.where("t.archetype != :archetype", archetype: Archetype::private_message)
     end
 
-    unless guardian.is_staff?
+    unless guardian.is_admin?
       allowed = guardian.secure_category_ids
       if allowed.present?
         builder.where("( c.read_restricted IS NULL OR

lib/flag_query.rb

@@ -1,8 +1,15 @@
 module FlagQuery
-  def self.flagged_posts_report(filter, offset = 0, per_page = 25)
+  def self.flagged_posts_report(current_user, filter, offset = 0, per_page = 25)
 
     actions = flagged_post_actions(filter)
 
+    guardian = Guardian.new(current_user)
+
+    if !guardian.is_admin?
+      actions = actions.joins(:post => :topic)
+                  .where('category_id in (?)', guardian.allowed_category_ids)
+    end
+
     post_ids = actions
               .limit(per_page)
               .offset(offset)
@@ -60,7 +67,7 @@ module FlagQuery
   protected
 
   def self.flagged_post_ids(filter, offset, limit)
-    sql = <<SQL
+    <<SQL
 
     SELECT p.id from posts p
     JOIN topics t ON t.id = p.topic_id

lib/guardian/category_guardian.rb

@@ -2,16 +2,16 @@
 module CategoryGuardian
   # Creating Method
   def can_create_category?(parent)
-    is_staff?
+    is_admin?
   end
 
   # Editing Method
   def can_edit_category?(category)
-    is_staff?
+    is_admin?
   end
 
   def can_delete_category?(category)
-    is_staff? && category.topic_count == 0 && !category.uncategorized?
+    is_admin? && category.topic_count == 0 && !category.uncategorized?
   end
 
   def can_see_category?(category)
@@ -31,4 +31,4 @@ module CategoryGuardian
   def topic_create_allowed_category_ids
     @topic_create_allowed_category_ids ||= @user.topic_create_allowed_category_ids
   end
-end
+end

spec/components/flag_query_spec.rb

@@ -7,6 +7,9 @@ describe FlagQuery do
 
   describe "flagged_posts_report" do
     it "operates correctly" do
+      admin = Fabricate(:admin)
+      moderator = Fabricate(:moderator)
+
       post = create_post
       post2 = create_post
 
@@ -20,7 +23,7 @@ describe FlagQuery do
       PostAction.act(codinghorror, post2, PostActionType.types[:spam])
       PostAction.act(user2, post2, PostActionType.types[:spam])
 
-      posts, users = FlagQuery.flagged_posts_report("")
+      posts, users = FlagQuery.flagged_posts_report(admin, "")
       posts.count.should == 2
       first = posts.first
 
@@ -32,9 +35,19 @@ describe FlagQuery do
       second[:post_actions].count.should == 3
       second[:post_actions].first[:permalink].should == mod_message.related_post.topic.url
 
-      posts, users = FlagQuery.flagged_posts_report("",offset=1)
+      posts, users = FlagQuery.flagged_posts_report(admin, "", 1)
       posts.count.should == 1
 
+      # chuck post in category a mod can not see and make sure its missing
+      category = Fabricate(:category)
+      category.set_permissions(:admins => :full)
+      category.save
+      post2.topic.category_id = category.id
+      post2.topic.save
+
+      posts, users = FlagQuery.flagged_posts_report(moderator, "")
+
+      posts.count.should == 1
     end
   end
 end

spec/components/guardian_spec.rb

@@ -291,8 +291,8 @@ describe Guardian do
         Guardian.new(user).can_create?(Category).should be_false
       end
 
-      it 'returns true when a moderator' do
-        Guardian.new(moderator).can_create?(Category).should be_true
+      it 'returns false when a moderator' do
+        Guardian.new(moderator).can_create?(Category).should be_false
       end
 
       it 'returns true when an admin' do
@@ -626,8 +626,8 @@ describe Guardian do
         Guardian.new(category.user).can_edit?(category).should be_false
       end
 
-      it 'returns true as a moderator' do
-        Guardian.new(moderator).can_edit?(category).should be_true
+      it 'returns false as a moderator' do
+        Guardian.new(moderator).can_edit?(category).should be_false
       end
 
       it 'returns true as an admin' do
@@ -863,8 +863,8 @@ describe Guardian do
         Guardian.new(user).can_delete?(category).should be_false
       end
 
-      it 'returns true when a moderator' do
-        Guardian.new(moderator).can_delete?(category).should be_true
+      it 'returns false when a moderator' do
+        Guardian.new(moderator).can_delete?(category).should be_false
       end
 
       it 'returns true when an admin' do

spec/controllers/categories_controller_spec.rb

@@ -9,7 +9,7 @@ describe CategoriesController do
 
     describe "logged in" do
       before do
-        @user = log_in(:moderator)
+        @user = log_in(:admin)
       end
 
       it "raises an exception when they don't have permission to create it" do
@@ -106,7 +106,7 @@ describe CategoriesController do
       let(:valid_attrs) { {id: @category.id, name: "hello", color: "ff0", text_color: "fff"} }
 
       before do
-        @user = log_in(:moderator)
+        @user = log_in(:admin)
         @category = Fabricate(:category, user: @user)
       end