[#1005] Hide individual attachments

app/models/ability.rb

@@ -42,6 +42,10 @@ def initialize(user, project: nil, public_token: false)
     end
 
     # Viewing messages with prominence
+    can :read, FoiAttachment do |attachment|
+      can_view_with_prominence?(attachment.prominence, attachment.incoming_message.info_request)
+    end
+
     can :read, [IncomingMessage, OutgoingMessage] do |msg|
       can_view_with_prominence?(msg.prominence, msg.info_request)
     end

app/views/request/_attachments.html.erb

@@ -13,20 +13,27 @@
     <ul class="list-of-attachments">
       <% attachments.each do |a| %>
         <%= tag.li class: 'attachment', id: dom_id(a) do %>
-          <%= attachment_link(incoming_message, a) %>
+          <% if cannot?(:read, a) %>
+            <img class="attachment__image" alt="Attachment" src="/assets/content_type/icon_unknown.png"></a>
+            <%= render partial: 'request/hidden_attachment', locals: { attachment: a } %>
+          <% else %>
+            <%= render partial: 'request/restricted_attachment', locals: { attachment: a } %>
 
-          <p class="attachment__name">
-            <%= h a.display_filename %>
-          </p>
+            <%= attachment_link(incoming_message, a) %>
 
-          <p class="attachment__meta">
-            <%= a.display_size %>
-            <%= link_to "Download", attachment_path(a) %>
-            <% if a.has_body_as_html? && incoming_message.info_request.prominence(:decorate => true).is_public? %>
-              <%= link_to "View as HTML", attachment_path(a, :html => true) %>
-            <% end %>
-            <%= a.extra_note %>
-          </p>
+            <p class="attachment__name">
+              <%= h a.display_filename %>
+            </p>
+
+            <p class="attachment__meta">
+              <%= a.display_size %>
+              <%= link_to "Download", attachment_path(a) %>
+              <% if a.has_body_as_html? && incoming_message.info_request.prominence(:decorate => true).is_public? %>
+                <%= link_to "View as HTML", attachment_path(a, :html => true) %>
+              <% end %>
+              <%= a.extra_note %>
+            </p>
+          <% end %>
         <% end %>
       <% end %>
     </ul>
@@ -35,5 +42,13 @@
   </div>
 <% end %>
 
-<%= tag.div incoming_message.get_body_for_html_display(@collapse_quotes),
-            id: dom_id(incoming_message.get_main_body_text_part) %>
+<%= tag.div class: 'attachment', id: dom_id(incoming_message.get_main_body_text_part) do %>
+  <% if cannot?(:read, incoming_message.get_main_body_text_part) %>
+    <%= render partial: 'request/hidden_attachment',
+               locals: { attachment: incoming_message.get_main_body_text_part } %>
+  <% else %>
+    <%= render partial: 'request/restricted_attachment',
+               locals: { attachment: incoming_message.get_main_body_text_part } %>
+    <%= incoming_message.get_body_for_html_display(@collapse_quotes) %>
+  <% end %>
+<% end %>

app/views/request/_hidden_attachment.html.erb

@@ -0,0 +1,18 @@
+<p class="attachment__meta">
+  <%- if !attachment.prominence_reason.blank? %>
+    <%= _('This attachment has been hidden.') %>
+    <%= attachment.prominence_reason %>
+    <%= _('Please <a href="{{url}}">contact us</a> if you have any questions.',
+          url: help_contact_path.html_safe) %>
+  <%- else %>
+    <%= _("This attachment has been hidden. There are various reasons why we " \
+             "might have done this, sorry we can't be more specific here.") %>
+    <%= _('Please <a href="{{url}}">contact us</a> if you have any questions.',
+          url: help_contact_path.html_safe) %>
+  <%- end %>
+  <% if attachment.prominence == 'requester_only' %>
+    <%= _('If you are the requester, then you may ' \
+          '<a href="{{url}}">sign in</a> to view the attachment.',
+          url: signin_url(r: request.fullpath).html_safe) %>
+  <% end %>
+</p>

app/views/request/_restricted_attachment.html.erb

@@ -0,0 +1,27 @@
+<% if attachment.prominence == 'hidden' %>
+  <p class="attachment__meta">
+    <%- if !attachment.prominence_reason.blank? %>
+      <%= _('This attachment has prominence \'hidden\'. {{reason}} You can ' \
+            'only see it because you are logged in as a super user.',
+            reason: attachment.prominence_reason) %>
+    <%- else %>
+      <%= _('This attachment has prominence \'hidden\'. You can only see it ' \
+            'because you are logged in as a super user.') %>
+    <%- end %>
+  </p>
+<% end %>
+
+<% if attachment.prominence == 'requester_only' %>
+  <p class="attachment__meta">
+    <%- if !attachment.prominence_reason.blank? %>
+      <%= _('This attachment is hidden, so that only you, the requester, can ' \
+            'see it. {{reason}}',
+            reason: attachment.prominence_reason) %>
+    <%- else %>
+      <%= _('This attachment is hidden, so that only you, the requester, can ' \
+            'see it. Please <a href="{{url}}">contact us</a> if you are not ' \
+            'sure why.',
+            url: help_requesting_path.html_safe) %>
+    <%- end %>
+  </p>
+<% end %>