Add moderator role and add pundit policies for admin actions (#5635)

* Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
author: Eugen Rochko <eugen@zeonfederated.com> 2017-11-11 20:23:33 +0100
committer: GitHub <noreply@github.com> 2017-11-11 20:23:33 +0100
commit: 7bb8b0b2fc0e2e42a4234fed18198cbb7439fe9f (patch)
tree: f629ef40a5e7253c3d7bf353959951c93e5aad6f /app/policies
parent: 2b1190065c54f071ae384f6e05b4a087987febba (diff)
12 files changed, 246 insertions, 17 deletions
diff --git a/app/policies/account_moderation_note_policy.rb b/app/policies/account_moderation_note_policy.rb
new file mode 100644
index 000000000..885411a5b
--- /dev/null
+++ b/app/policies/account_moderation_note_policy.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class AccountModerationNotePolicy < ApplicationPolicy
+  def create?
+    staff?
+  end
+
+  def destroy?
+    admin? || owner?
+  end
+
+  private
+
+  def owner?
+    record.account_id == current_account&.id
+  end
+end
diff --git a/app/policies/account_policy.rb b/app/policies/account_policy.rb
new file mode 100644
index 000000000..85e2c8419
--- /dev/null
+++ b/app/policies/account_policy.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class AccountPolicy < ApplicationPolicy
+  def index?
+    staff?
+  end
+
+  def show?
+    staff?
+  end
+
+  def suspend?
+    staff? && !record.user&.staff?
+  end
+
+  def unsuspend?
+    staff?
+  end
+
+  def silence?
+    staff? && !record.user&.staff?
+  end
+
+  def unsilence?
+    staff?
+  end
+
+  def redownload?
+    admin?
+  end
+
+  def subscribe?
+    admin?
+  end
+
+  def unsubscribe?
+    admin?
+  end
+
+  def memorialize?
+    admin? && !record.user&.admin?
+  end
+end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
new file mode 100644
index 000000000..3e617001f
--- /dev/null
+++ b/app/policies/application_policy.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class ApplicationPolicy
+  attr_reader :current_account, :record
+
+  def initialize(current_account, record)
+    @current_account = current_account
+    @record          = record
+  end
+
+  delegate :admin?, :moderator?, :staff?, to: :current_user, allow_nil: true
+
+  private
+
+  def current_user
+    current_account&.user
+  end
+end
diff --git a/app/policies/custom_emoji_policy.rb b/app/policies/custom_emoji_policy.rb
new file mode 100644
index 000000000..a8c3cbc73
--- /dev/null
+++ b/app/policies/custom_emoji_policy.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+class CustomEmojiPolicy < ApplicationPolicy
+  def index?
+    staff?
+  end
+
+  def create?
+    admin?
+  end
+
+  def update?
+    admin?
+  end
+
+  def copy?
+    admin?
+  end
+
+  def enable?
+    staff?
+  end
+
+  def disable?
+    staff?
+  end
+
+  def destroy?
+    admin?
+  end
+end
diff --git a/app/policies/domain_block_policy.rb b/app/policies/domain_block_policy.rb
new file mode 100644
index 000000000..47c0a81af
--- /dev/null
+++ b/app/policies/domain_block_policy.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class DomainBlockPolicy < ApplicationPolicy
+  def index?
+    admin?
+  end
+
+  def show?
+    admin?
+  end
+
+  def create?
+    admin?
+  end
+
+  def destroy?
+    admin?
+  end
+end
diff --git a/app/policies/email_domain_block_policy.rb b/app/policies/email_domain_block_policy.rb
new file mode 100644
index 000000000..5a75ee183
--- /dev/null
+++ b/app/policies/email_domain_block_policy.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class EmailDomainBlockPolicy < ApplicationPolicy
+  def index?
+    admin?
+  end
+
+  def create?
+    admin?
+  end
+
+  def destroy?
+    admin?
+  end
+end
diff --git a/app/policies/instance_policy.rb b/app/policies/instance_policy.rb
new file mode 100644
index 000000000..d1956e2de
--- /dev/null
+++ b/app/policies/instance_policy.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class InstancePolicy < ApplicationPolicy
+  def index?
+    admin?
+  end
+
+  def resubscribe?
+    admin?
+  end
+end
diff --git a/app/policies/report_policy.rb b/app/policies/report_policy.rb
new file mode 100644
index 000000000..95b5c30c8
--- /dev/null
+++ b/app/policies/report_policy.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class ReportPolicy < ApplicationPolicy
+  def update?
+    staff?
+  end
+
+  def index?
+    staff?
+  end
+
+  def show?
+    staff?
+  end
+end
diff --git a/app/policies/settings_policy.rb b/app/policies/settings_policy.rb
new file mode 100644
index 000000000..2dcb79f51
--- /dev/null
+++ b/app/policies/settings_policy.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class SettingsPolicy < ApplicationPolicy
+  def update?
+    admin?
+  end
+
+  def show?
+    admin?
+  end
+end
diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb
index 2ded61850..0373fdf04 100644
--- a/app/policies/status_policy.rb
+++ b/app/policies/status_policy.rb
@@ -1,20 +1,17 @@
 # frozen_string_literal: true
 
-class StatusPolicy
-  attr_reader :account, :status
-
-  def initialize(account, status)
-    @account = account
-    @status = status
+class StatusPolicy < ApplicationPolicy
+  def index?
+    staff?
   end
 
   def show?
     if direct?
-      owned? || status.mentions.where(account: account).exists?
+      owned? || record.mentions.where(account: current_account).exists?
     elsif private?
-      owned? || account&.following?(status.account) || status.mentions.where(account: account).exists?
+      owned? || current_account&.following?(author) || record.mentions.where(account: current_account).exists?
     else
-      account.nil? || !status.account.blocking?(account)
+      current_account.nil? || !author.blocking?(current_account)
     end
   end
 
@@ -23,26 +20,30 @@ class StatusPolicy
   end
 
   def destroy?
-    admin? || owned?
+    staff? || owned?
   end
 
   alias unreblog? destroy?
 
-  private
-
-  def admin?
-    account&.user&.admin?
+  def update?
+    staff?
   end
 
+  private
+
   def direct?
-    status.direct_visibility?
+    record.direct_visibility?
   end
 
   def owned?
-    status.account.id == account&.id
+    author.id == current_account&.id
   end
 
   def private?
-    status.private_visibility?
+    record.private_visibility?
+  end
+
+  def author
+    record.account
   end
 end
diff --git a/app/policies/subscription_policy.rb b/app/policies/subscription_policy.rb
new file mode 100644
index 000000000..ac9a8a6c4
--- /dev/null
+++ b/app/policies/subscription_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class SubscriptionPolicy < ApplicationPolicy
+  def index?
+    admin?
+  end
+end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
new file mode 100644
index 000000000..aae207d06
--- /dev/null
+++ b/app/policies/user_policy.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+class UserPolicy < ApplicationPolicy
+  def reset_password?
+    staff? && !record.staff?
+  end
+
+  def disable_2fa?
+    admin? && !record.staff?
+  end
+
+  def confirm?
+    staff? && !record.confirmed?
+  end
+
+  def enable?
+    admin?
+  end
+
+  def disable?
+    admin? && !record.admin?
+  end
+
+  def promote?
+    admin? && promoteable?
+  end
+
+  def demote?
+    admin? && !record.admin? && demoteable?
+  end
+
+  private
+
+  def promoteable?
+    !record.staff? || !record.admin?
+  end
+
+  def demoteable?
+    record.staff?
+  end
+end
author	Eugen Rochko <eugen@zeonfederated.com>	2017-11-11 20:23:33 +0100
committer	GitHub <noreply@github.com>	2017-11-11 20:23:33 +0100
commit	7bb8b0b2fc0e2e42a4234fed18198cbb7439fe9f (patch)
tree	f629ef40a5e7253c3d7bf353959951c93e5aad6f /app/policies
parent	2b1190065c54f071ae384f6e05b4a087987febba (diff)