From f8ca3bb2a1dd648f41e8fea5b5eb87b53bc8d521 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 26 Oct 2022 13:42:29 +0200
Subject: Add ability to view previous edits of a status in admin UI (#19462)

* Add ability to view previous edits of a status in admin UI

* Change moderator access to posts to be controlled by a separate policy
---
 app/models/admin/status_filter.rb | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

(limited to 'app/models/admin')

diff --git a/app/models/admin/status_filter.rb b/app/models/admin/status_filter.rb
index 4fba612a6..d7a16f760 100644
--- a/app/models/admin/status_filter.rb
+++ b/app/models/admin/status_filter.rb
@@ -3,7 +3,6 @@
 class Admin::StatusFilter
   KEYS = %i(
     media
-    id
     report_id
   ).freeze
 
@@ -28,12 +27,10 @@ class Admin::StatusFilter
 
   private
 
-  def scope_for(key, value)
+  def scope_for(key, _value)
     case key.to_s
     when 'media'
       Status.joins(:media_attachments).merge(@account.media_attachments.reorder(nil)).group(:id).reorder('statuses.id desc')
-    when 'id'
-      Status.where(id: value)
     else
       raise "Unknown filter: #{key}"
     end
-- 
cgit 


From 07cc201accd4a04c8c11cda21eecded4e7875d55 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Fri, 28 Oct 2022 00:48:30 +0200
Subject: Fix using wrong policy on status-related actions in admin UI (#19490)

---
 app/models/admin/status_batch_action.rb | 4 ++--
 app/models/trends/status_batch.rb       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'app/models/admin')

diff --git a/app/models/admin/status_batch_action.rb b/app/models/admin/status_batch_action.rb
index 7bf6fa6da..0ec4fef82 100644
--- a/app/models/admin/status_batch_action.rb
+++ b/app/models/admin/status_batch_action.rb
@@ -40,7 +40,7 @@ class Admin::StatusBatchAction
   end
 
   def handle_delete!
-    statuses.each { |status| authorize(status, :destroy?) }
+    statuses.each { |status| authorize([:admin, status], :destroy?) }
 
     ApplicationRecord.transaction do
       statuses.each do |status|
@@ -75,7 +75,7 @@ class Admin::StatusBatchAction
     statuses.includes(:media_attachments, :preview_cards).find_each do |status|
       next unless status.with_media? || status.with_preview_card?
 
-      authorize(status, :update?)
+      authorize([:admin, status], :update?)
 
       if target_account.local?
         UpdateStatusService.new.call(status, representative_account.id, sensitive: true)
diff --git a/app/models/trends/status_batch.rb b/app/models/trends/status_batch.rb
index 78d93bed4..f9b97b224 100644
--- a/app/models/trends/status_batch.rb
+++ b/app/models/trends/status_batch.rb
@@ -30,7 +30,7 @@ class Trends::StatusBatch
   end
 
   def approve!
-    statuses.each { |status| authorize(status, :review?) }
+    statuses.each { |status| authorize([:admin, status], :review?) }
     statuses.update_all(trendable: true)
   end
 
@@ -45,7 +45,7 @@ class Trends::StatusBatch
   end
 
   def reject!
-    statuses.each { |status| authorize(status, :review?) }
+    statuses.each { |status| authorize([:admin, status], :review?) }
     statuses.update_all(trendable: false)
   end
 
-- 
cgit 


From 40c7f3e830538951862dc73074d1045a82395ab0 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Sun, 30 Oct 2022 02:44:32 +0200
Subject: Fix account action type validation (#19476)

* Fix account action type validation

Fix #19143

* Fix #19145

* Fix code style issues
---
 app/models/admin/account_action.rb                 |  9 +++--
 .../v1/admin/account_actions_controller_spec.rb    | 44 ++++++++++++++--------
 2 files changed, 34 insertions(+), 19 deletions(-)

(limited to 'app/models/admin')

diff --git a/app/models/admin/account_action.rb b/app/models/admin/account_action.rb
index aed3bc0c7..bce0d6e17 100644
--- a/app/models/admin/account_action.rb
+++ b/app/models/admin/account_action.rb
@@ -25,6 +25,8 @@ class Admin::AccountAction
   alias send_email_notification? send_email_notification
   alias include_statuses? include_statuses
 
+  validates :type, :target_account, :current_account, presence: true
+
   def initialize(attributes = {})
     @send_email_notification = true
     @include_statuses        = true
@@ -41,13 +43,15 @@ class Admin::AccountAction
   end
 
   def save!
+    raise ActiveRecord::RecordInvalid, self unless valid?
+
     ApplicationRecord.transaction do
       process_action!
       process_strike!
+      process_reports!
     end
 
     process_email!
-    process_reports!
     process_queue!
   end
 
@@ -106,9 +110,8 @@ class Admin::AccountAction
     # Otherwise, we will mark all unresolved reports about
     # the account as resolved.
 
-    reports.each { |report| authorize(report, :update?) }
-
     reports.each do |report|
+      authorize(report, :update?)
       log_action(:resolve, report)
       report.resolve!(current_account)
     end
diff --git a/spec/controllers/api/v1/admin/account_actions_controller_spec.rb b/spec/controllers/api/v1/admin/account_actions_controller_spec.rb
index 199395f55..462c2cfa9 100644
--- a/spec/controllers/api/v1/admin/account_actions_controller_spec.rb
+++ b/spec/controllers/api/v1/admin/account_actions_controller_spec.rb
@@ -30,28 +30,40 @@ RSpec.describe Api::V1::Admin::AccountActionsController, type: :controller do
   end
 
   describe 'POST #create' do
-    before do
-      post :create, params: { account_id: account.id, type: 'disable' }
-    end
+    context do
+      before do
+        post :create, params: { account_id: account.id, type: 'disable' }
+      end
 
-    it_behaves_like 'forbidden for wrong scope', 'write:statuses'
-    it_behaves_like 'forbidden for wrong role', ''
+      it_behaves_like 'forbidden for wrong scope', 'write:statuses'
+      it_behaves_like 'forbidden for wrong role', ''
 
-    it 'returns http success' do
-      expect(response).to have_http_status(200)
-    end
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end
+
+      it 'performs action against account' do
+        expect(account.reload.user_disabled?).to be true
+      end
+
+      it 'logs action' do
+        log_item = Admin::ActionLog.last
 
-    it 'performs action against account' do
-      expect(account.reload.user_disabled?).to be true
+        expect(log_item).to_not be_nil
+        expect(log_item.action).to eq :disable
+        expect(log_item.account_id).to eq user.account_id
+        expect(log_item.target_id).to eq account.user.id
+      end
     end
 
-    it 'logs action' do
-      log_item = Admin::ActionLog.last
+    context 'with no type' do
+      before do
+        post :create, params: { account_id: account.id }
+      end
 
-      expect(log_item).to_not be_nil
-      expect(log_item.action).to eq :disable
-      expect(log_item.account_id).to eq user.account_id
-      expect(log_item.target_id).to eq account.user.id
+      it 'returns http unprocessable entity' do
+        expect(response).to have_http_status(422)
+      end
     end
   end
 end
-- 
cgit