From 38221ff33480d7a7f8d045619a2a65bae7b714f4 Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Sat, 13 Jul 2024 19:28:33 +0500 Subject: [PATCH 01/10] AO3-6709 Certain admins can view the user's inbox page --- app/controllers/inbox_controller.rb | 3 +- app/policies/inbox_comment_policy.rb | 7 ++ spec/controllers/inbox_controller_spec.rb | 105 ++++++++++++++++++++++ 3 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 app/policies/inbox_comment_policy.rb diff --git a/app/controllers/inbox_controller.rb b/app/controllers/inbox_controller.rb index fb7a710f7e6..6ab7794ab61 100644 --- a/app/controllers/inbox_controller.rb +++ b/app/controllers/inbox_controller.rb @@ -2,7 +2,7 @@ class InboxController < ApplicationController include BlockHelper before_action :load_user - before_action :check_ownership + before_action :check_ownership_or_admin before_action :load_commentable, only: :reply before_action :check_blocked, only: :reply @@ -13,6 +13,7 @@ def load_user end def show + authorize InboxComment if logged_in_as_admin? @inbox_total = @user.inbox_comments.with_bad_comments_removed.count @unread = @user.inbox_comments.with_bad_comments_removed.count_unread @filters = filter_params[:filters] || {} diff --git a/app/policies/inbox_comment_policy.rb b/app/policies/inbox_comment_policy.rb new file mode 100644 index 00000000000..8ec7d755b38 --- /dev/null +++ b/app/policies/inbox_comment_policy.rb @@ -0,0 +1,7 @@ +class InboxCommentPolicy < ApplicationPolicy + VIEW_INBOX_ROLES = %w[superadmin policy_and_abuse].freeze + + def show? + user_has_roles?(VIEW_INBOX_ROLES) + end +end diff --git a/spec/controllers/inbox_controller_spec.rb b/spec/controllers/inbox_controller_spec.rb index 21815b1bbd7..c3a7de0db1a 100644 --- a/spec/controllers/inbox_controller_spec.rb +++ b/spec/controllers/inbox_controller_spec.rb @@ -19,6 +19,111 @@ "Sorry, you don't have permission to access the page you were trying to reach.") end + context "when logged in as an admin" do + context "when admin does not have correct authorization" do + context "when admin has no role" do + let(:admin) { create(:admin, roles: []) } + + before { fake_login_admin(admin) } + + it "redirects with error" do + get :show, params: { user_id: user.login } + + it_redirects_to_with_error(root_path, "Sorry, only an authorized admin can access the page you were trying to reach.") + end + end + + (Admin::VALID_ROLES - %w[superadmin policy_and_abuse]).each do |role| + context "when admin has #{role} role" do + let(:admin) { create(:admin, roles: [role]) } + + before { fake_login_admin(admin) } + + it "redirects with error" do + get :show, params: { user_id: user.login } + + it_redirects_to_with_error(root_path, "Sorry, only an authorized admin can access the page you were trying to reach.") + end + end + end + end + + %w[superadmin policy_and_abuse].each do |role| + context "when admin is authorized with the #{role} role" do + let(:admin) { create(:admin, roles: [role]) } + + before { fake_login_admin(admin) } + + it "renders the user inbox" do + get :show, params: { user_id: user.login } + expect(response).to render_template("show") + expect(assigns(:inbox_total)).to eq(0) + expect(assigns(:unread)).to eq(0) + end + + context "with unread comments" do + let!(:inbox_comments) do + Array.new(3) do |i| + create(:inbox_comment, user: user, created_at: Time.now + i.days) + end + end + + it "renders non-zero unread count" do + get :show, params: { user_id: user.login } + expect(assigns(:inbox_comments)).to eq(inbox_comments.reverse) + expect(assigns(:inbox_total)).to eq(3) + expect(assigns(:unread)).to eq(3) + end + + it "renders oldest first" do + get :show, params: { user_id: user.login, filters: { date: "asc" } } + expect(assigns(:filters)[:date]).to eq("asc") + expect(assigns(:inbox_comments)).to eq(inbox_comments) + expect(assigns(:inbox_total)).to eq(3) + expect(assigns(:unread)).to eq(3) + end + end + + context "with 1 read and 1 unread" do + let!(:read_comment) { create(:inbox_comment, user: user, read: true) } + let!(:unread_comment) { create(:inbox_comment, user: user) } + + it "renders only unread" do + get :show, params: { user_id: user.login, filters: { read: "false" } } + expect(assigns(:filters)[:read]).to eq("false") + expect(assigns(:inbox_comments)).to eq([unread_comment]) + expect(assigns(:inbox_total)).to eq(2) + expect(assigns(:unread)).to eq(1) + end + end + + context "with 1 replied and 1 unreplied" do + let!(:replied_comment) { create(:inbox_comment, user: user, replied_to: true) } + let!(:unreplied_comment) { create(:inbox_comment, user: user) } + + it "renders only unreplied" do + get :show, params: { user_id: user.login, filters: { replied_to: "false" } } + expect(assigns(:filters)[:replied_to]).to eq("false") + expect(assigns(:inbox_comments)).to eq([unreplied_comment]) + expect(assigns(:inbox_total)).to eq(2) + expect(assigns(:unread)).to eq(2) + end + end + + context "with a deleted comment" do + let(:inbox_comment) { create(:inbox_comment, user: user) } + + it "excludes deleted comments" do + inbox_comment.feedback_comment.destroy + get :show, params: { user_id: user.login } + expect(assigns(:inbox_total)).to eq(0) + expect(assigns(:unread)).to eq(0) + end + end + end + end + end + context "when logged in as the same user" do before { fake_login_known_user(user) } From eda5f052a0a76fd3ee89202b5bcaadfb788e0a68 Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Sun, 14 Jul 2024 16:44:46 +0500 Subject: [PATCH 02/10] AO3-6709 prevent admins from deleting comments or marking them as read --- app/controllers/inbox_controller.rb | 1 + spec/controllers/inbox_controller_spec.rb | 151 ++++++++++++---------- 2 files changed, 84 insertions(+), 68 deletions(-) diff --git a/app/controllers/inbox_controller.rb b/app/controllers/inbox_controller.rb index 6ab7794ab61..4191691060a 100644 --- a/app/controllers/inbox_controller.rb +++ b/app/controllers/inbox_controller.rb @@ -31,6 +31,7 @@ def reply end def update + authorize InboxComment if logged_in_as_admin? begin @inbox_comments = InboxComment.find(params[:inbox_comments]) if params[:read] diff --git a/spec/controllers/inbox_controller_spec.rb b/spec/controllers/inbox_controller_spec.rb index c3a7de0db1a..b5c2c216877 100644 --- a/spec/controllers/inbox_controller_spec.rb +++ b/spec/controllers/inbox_controller_spec.rb @@ -254,92 +254,107 @@ end describe "PUT #update" do - before { fake_login_known_user(user) } - - context "with no comments selected" do - it "redirects to inbox with caution and a notice" do - put :update, params: { user_id: user.login, read: "yeah" } - it_redirects_to_with_caution_and_notice(user_inbox_path(user), - "Please select something first", - "Inbox successfully updated.") - end - - it "redirects to the previously viewed page if HTTP_REFERER is set, with a caution and a notice" do - @request.env['HTTP_REFERER'] = root_path - put :update, params: { user_id: user.login, read: "yeah" } - it_redirects_to_with_caution_and_notice(root_path, - "Please select something first", - "Inbox successfully updated.") + %w[superadmin policy_and_abuse].each do |role| + context "when logged in as an admin with the role #{role}" do + let(:admin) { create(:admin, roles: [role]) } + + before { fake_login_admin(admin) } + + it "redirects to root with error" do + put :update, params: { user_id: user.login } + it_redirects_to_with_error(root_path, "Sorry, only an authorized admin can access the page you were trying to reach.") + end end end - context "with unread comments" do - let!(:inbox_comment_1) { create(:inbox_comment, user: user) } - let!(:inbox_comment_2) { create(:inbox_comment, user: user) } - - it "marks all as read and redirects to inbox with a notice" do - parameters = { - user_id: user.login, - inbox_comments: [inbox_comment_1.id, inbox_comment_2.id], - read: "yeah" - } + context "when logged in as the same user" do + before { fake_login_known_user(user) } - put :update, params: parameters - it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") + context "with no comments selected" do + it "redirects to inbox with caution and a notice" do + put :update, params: { user_id: user.login, read: "yeah" } + it_redirects_to_with_caution_and_notice(user_inbox_path(user), + "Please select something first", + "Inbox successfully updated.") + end - inbox_comment_1.reload - expect(inbox_comment_1.read).to be_truthy - inbox_comment_2.reload - expect(inbox_comment_2.read).to be_truthy + it "redirects to the previously viewed page if HTTP_REFERER is set, with a caution and a notice" do + @request.env['HTTP_REFERER'] = root_path + put :update, params: { user_id: user.login, read: "yeah" } + it_redirects_to_with_caution_and_notice(root_path, + "Please select something first", + "Inbox successfully updated.") + end end - it "marks one as read and redirects to inbox with a notice" do - put :update, params: { user_id: user.login, inbox_comments: [inbox_comment_1.id], read: "yeah" } - it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") + context "with unread comments" do + let!(:inbox_comment_1) { create(:inbox_comment, user: user) } + let!(:inbox_comment_2) { create(:inbox_comment, user: user) } + + it "marks all as read and redirects to inbox with a notice" do + parameters = { + user_id: user.login, + inbox_comments: [inbox_comment_1.id, inbox_comment_2.id], + read: "yeah" + } + + put :update, params: parameters + it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") + + inbox_comment_1.reload + expect(inbox_comment_1.read).to be_truthy + inbox_comment_2.reload + expect(inbox_comment_2.read).to be_truthy + end - inbox_comment_1.reload - expect(inbox_comment_1.read).to be_truthy - inbox_comment_2.reload - expect(inbox_comment_2.read).to be_falsy - end + it "marks one as read and redirects to inbox with a notice" do + put :update, params: { user_id: user.login, inbox_comments: [inbox_comment_1.id], read: "yeah" } + it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") - it "deletes one and redirects to inbox with a notice" do - put :update, params: { user_id: user.login, inbox_comments: [inbox_comment_1.id], delete: "yeah" } - it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") + inbox_comment_1.reload + expect(inbox_comment_1.read).to be_truthy + inbox_comment_2.reload + expect(inbox_comment_2.read).to be_falsy + end - expect(InboxComment.find_by(id: inbox_comment_1.id)).to be_nil - inbox_comment_2.reload - expect(inbox_comment_2.read).to be_falsy + it "deletes one and redirects to inbox with a notice" do + put :update, params: { user_id: user.login, inbox_comments: [inbox_comment_1.id], delete: "yeah" } + it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") + + expect(InboxComment.find_by(id: inbox_comment_1.id)).to be_nil + inbox_comment_2.reload + expect(inbox_comment_2.read).to be_falsy + end end - end - context "with a read comment and redirects to inbox with a notice" do - let!(:inbox_comment) { create(:inbox_comment, user: user, read: true) } + context "with a read comment and redirects to inbox with a notice" do + let!(:inbox_comment) { create(:inbox_comment, user: user, read: true) } - it "marks as unread and redirects to inbox with a notice" do - put :update, params: { user_id: user.login, inbox_comments: [inbox_comment.id], unread: "yeah" } - it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") + it "marks as unread and redirects to inbox with a notice" do + put :update, params: { user_id: user.login, inbox_comments: [inbox_comment.id], unread: "yeah" } + it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") - inbox_comment.reload - expect(inbox_comment.read).to be_falsy - end + inbox_comment.reload + expect(inbox_comment.read).to be_falsy + end - it "marks as unread and returns a JSON response" do - parameters = { - user_id: user.login, - inbox_comments: [inbox_comment.id], - unread: "yeah", - format: "json" - } + it "marks as unread and returns a JSON response" do + parameters = { + user_id: user.login, + inbox_comments: [inbox_comment.id], + unread: "yeah", + format: "json" + } - put :update, params: parameters + put :update, params: parameters - inbox_comment.reload - expect(inbox_comment.read).to be_falsy + inbox_comment.reload + expect(inbox_comment.read).to be_falsy - parsed_body = JSON.parse(response.body, symbolize_names: true) - expect(parsed_body[:item_success_message]).to eq("Inbox successfully updated.") - expect(response).to have_http_status(:success) + parsed_body = JSON.parse(response.body, symbolize_names: true) + expect(parsed_body[:item_success_message]).to eq("Inbox successfully updated.") + expect(response).to have_http_status(:success) + end end end end From 2931eeea8316973c0abf2e66bb5e87508a54e021 Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Wed, 17 Jul 2024 15:03:32 +0500 Subject: [PATCH 03/10] AO3-6709 Show inbox link on user dashboard only for superadmin and policy and abuse admins --- app/policies/dashboard_policy.rb | 7 +++++++ app/views/users/_sidebar.html.erb | 14 ++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 app/policies/dashboard_policy.rb diff --git a/app/policies/dashboard_policy.rb b/app/policies/dashboard_policy.rb new file mode 100644 index 00000000000..13b7f92d158 --- /dev/null +++ b/app/policies/dashboard_policy.rb @@ -0,0 +1,7 @@ +class DashboardPolicy < ApplicationPolicy + VIEW_INBOX_ROLES = %w[superadmin policy_and_abuse].freeze + + def can_view_inbox_link? + user_has_roles?(VIEW_INBOX_ROLES) + end +end diff --git a/app/views/users/_sidebar.html.erb b/app/views/users/_sidebar.html.erb index 429c8ebcc95..3f073db185e 100644 --- a/app/views/users/_sidebar.html.erb +++ b/app/views/users/_sidebar.html.erb @@ -35,15 +35,17 @@
  • <%= span_if_current ts("Collections (%{coll_number})", :coll_number => @user.maintained_collections.count), user_collections_path(@user) %>
    • -<% if @user == current_user %> +<% if @user == current_user || policy(:dashboard).can_view_inbox_link? %>

    <%= ts("Catch")%>

      -
    • <%= span_if_current ts("Inbox (%{inbox_number})", :inbox_number => @user.unread_inbox_comments_count.to_s), user_inbox_path(@user) %>
      • -
    • <%= span_if_current ts("Statistics"), user_stats_path(@user) %>
      • - <% if @user.preference.try(:history_enabled?) %> -
    • <%= span_if_current ts("History"), user_readings_path(@user) %>
      • +
    • <%= span_if_current ts("Inbox (%{inbox_number})", :inbox_number => @user.unread_inbox_comments_count.to_s), user_inbox_path(@user) %>
      • + <% if @user == current_user %> +
    • <%= span_if_current ts("Statistics"), user_stats_path(@user) %>
      • + <% if @user.preference.try(:history_enabled?) %> +
    • <%= span_if_current ts("History"), user_readings_path(@user) %>
      • + <% end %> +
    • <%= span_if_current ts("Subscriptions"), user_subscriptions_path(@user) %>
      • <% end %> -
    • <%= span_if_current ts("Subscriptions"), user_subscriptions_path(@user) %>
    <% end %> From f7f100111f5d3b9598caf450557ed8341de7f37d Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Sat, 20 Jul 2024 20:56:55 +0500 Subject: [PATCH 04/10] AO3-6709 redirect to homepage with error if js format is requested --- app/controllers/application_controller.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 53f5b0b37f0..b00c2d99a94 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -276,6 +276,10 @@ def admin_only_access_denied errors = [ts("Sorry, only an authorized admin can do that.")] render json: { errors: errors }, status: :forbidden end + format.js do + flash[:error] = ts("Sorry, only an authorized admin can access the page you were trying to reach.") + render js: "window.location.href = '#{root_path}';" + end end end From 2fff819718e308613f7ae55d5f3acd6c736bd25f Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Mon, 22 Jul 2024 18:58:00 +0500 Subject: [PATCH 05/10] AO3-6709 fix rubocop issues --- spec/controllers/inbox_controller_spec.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/spec/controllers/inbox_controller_spec.rb b/spec/controllers/inbox_controller_spec.rb index b5c2c216877..c24c640f093 100644 --- a/spec/controllers/inbox_controller_spec.rb +++ b/spec/controllers/inbox_controller_spec.rb @@ -64,7 +64,7 @@ context "with unread comments" do let!(:inbox_comments) do Array.new(3) do |i| - create(:inbox_comment, user: user, created_at: Time.now + i.days) + create(:inbox_comment, user: user, created_at: Time.now.utc + i.days) end end @@ -279,7 +279,7 @@ end it "redirects to the previously viewed page if HTTP_REFERER is set, with a caution and a notice" do - @request.env['HTTP_REFERER'] = root_path + @request.env["HTTP_REFERER"] = root_path put :update, params: { user_id: user.login, read: "yeah" } it_redirects_to_with_caution_and_notice(root_path, "Please select something first", @@ -288,8 +288,8 @@ end context "with unread comments" do - let!(:inbox_comment_1) { create(:inbox_comment, user: user) } - let!(:inbox_comment_2) { create(:inbox_comment, user: user) } + let!(:inbox_comment1) { create(:inbox_comment, user: user) } + let!(:inbox_comment2) { create(:inbox_comment, user: user) } it "marks all as read and redirects to inbox with a notice" do parameters = { From afb1365840fb5341cdaa47f9db3ad5d9c80001a0 Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Mon, 22 Jul 2024 21:19:26 +0500 Subject: [PATCH 06/10] AO3-6709 use i18n standard for sidebar on user dashboard --- app/views/users/_sidebar.html.erb | 42 +++++++++++++++---------------- config/locales/views/en.yml | 28 +++++++++++++++++++++ 2 files changed, 49 insertions(+), 21 deletions(-) diff --git a/app/views/users/_sidebar.html.erb b/app/views/users/_sidebar.html.erb index 3f073db185e..34b1c0f1b4d 100644 --- a/app/views/users/_sidebar.html.erb +++ b/app/views/users/_sidebar.html.erb @@ -1,30 +1,30 @@
    " role="navigation region"> -

    <%= ts("Choices")%>

    +

    <%= t(".landmark.choices")%>

      -
    • <%= span_if_current ts("Dashboard"), @user %>
      • -
    • <%= span_if_current ts("Profile"), user_profile_path(@user) %>
      • +
    • <%= span_if_current t(".choices.dashboard"), @user %>
      • +
    • <%= span_if_current t(".choices.profile"), user_profile_path(@user) %>
      • <% if @user.pseuds.size > 1 %>
    • - "><%= ts("Pseuds") %> + "><%= t(".choices.pseuds") %>
      • <% end %> <% if @user == current_user %> -
    • <%= span_if_current ts("Preferences"), user_preferences_path(@user) %>
      • -
    • <%= span_if_current ts("Skins"), user_skins_path(@user) %>
      • +
    • <%= span_if_current t(".choices.preferences"), user_preferences_path(@user) %>
      • +
    • <%= span_if_current t(".choices.skins"), user_skins_path(@user) %>
      • <% end %>
    -

    <%= ts("Pitch")%>

    +

    <%= t(".landmark.pitch")%>

    • <%= works_link(@user, @pseud) %>
      • <% if @user == current_user || logged_in_as_admin? %> -
    • <%= span_if_current ts("Drafts") + " (#{@user.unposted_works.size})", drafts_user_works_path(@user) %>
      • +
    • <%= span_if_current t(".pitch.drafts", :drafts_number => @user.unposted_works.size), drafts_user_works_path(@user) %>
      • <% end %>
    • <%= series_link(@user, @pseud) %>
      • @@ -32,33 +32,33 @@
    • <%= bookmarks_link(@user, @pseud) %>
      • <% end %> -
    • <%= span_if_current ts("Collections (%{coll_number})", :coll_number => @user.maintained_collections.count), user_collections_path(@user) %>
      • +
    • <%= span_if_current t(".pitch.collections", :coll_number => @user.maintained_collections.count), user_collections_path(@user) %>
    <% if @user == current_user || policy(:dashboard).can_view_inbox_link? %> -

    <%= ts("Catch")%>

    +

    <%= t(".landmark.catch")%>

      -
    • <%= span_if_current ts("Inbox (%{inbox_number})", :inbox_number => @user.unread_inbox_comments_count.to_s), user_inbox_path(@user) %>
      • +
    • <%= span_if_current t(".catch.inbox", :inbox_number => @user.unread_inbox_comments_count.to_s), user_inbox_path(@user) %>
      • <% if @user == current_user %> -
    • <%= span_if_current ts("Statistics"), user_stats_path(@user) %>
      • +
    • <%= span_if_current t(".catch.statistics"), user_stats_path(@user) %>
      • <% if @user.preference.try(:history_enabled?) %> -
    • <%= span_if_current ts("History"), user_readings_path(@user) %>
      • +
    • <%= span_if_current t(".catch.history"), user_readings_path(@user) %>
      • <% end %> -
    • <%= span_if_current ts("Subscriptions"), user_subscriptions_path(@user) %>
      • +
    • <%= span_if_current t(".catch.subscriptions"), user_subscriptions_path(@user) %>
      • <% end %>
    <% end %> -

    <%= ts("Switch")%>

    +

    <%= t(".landmark.switch")%>

      <% if @user == current_user %> <% if @user.preference.allow_cocreator %> -
    • <%= span_if_current ts("Co-Creator Requests (%{count})", count: Creatorship.unapproved.for_user(@user).count), user_creatorships_path(@user) %>
      • +
    • <%= span_if_current t(".switch.co_creator_requests", count: Creatorship.unapproved.for_user(@user).count), user_creatorships_path(@user) %>
      • <% end %> -
    • <%= span_if_current ts("Sign-ups (%{signup_number})", :signup_number =>@user.challenge_signups.count), user_signups_path(@user) %>
      • -
    • <%= span_if_current ts("Assignments (%{assignment_number})", :assignment_number => (@user.offer_assignments.undefaulted.count + @user.pinch_hit_assignments.undefaulted.count)), user_assignments_path(@user) %>
      • -
    • <%= span_if_current ts("Claims (%{claim_number})", :claim_number => (@user.request_claims.unposted.count)), user_claims_path(@user) %>
      • -
    • <%= span_if_current ts("Related Works (%{related_works_number})", :related_works_number => (@user.related_works.posted.count + @user.parent_work_relationships.count)), user_related_works_path(@user) %>
      • +
    • <%= span_if_current t(".switch.sign_ups", :signup_number =>@user.challenge_signups.count), user_signups_path(@user) %>
      • +
    • <%= span_if_current t(".switch.assignments", :assignment_number => (@user.offer_assignments.undefaulted.count + @user.pinch_hit_assignments.undefaulted.count)), user_assignments_path(@user) %>
      • +
    • <%= span_if_current t(".switch.claims", :claim_number => (@user.request_claims.unposted.count)), user_claims_path(@user) %>
      • +
    • <%= span_if_current t(".switch.related_works", :related_works_number => (@user.related_works.posted.count + @user.parent_work_relationships.count)), user_related_works_path(@user) %>
      • <% end %>
    • <%= gifts_link(@user) %>
    diff --git a/config/locales/views/en.yml b/config/locales/views/en.yml index e9be9398be9..c5c76dce90b 100644 --- a/config/locales/views/en.yml +++ b/config/locales/views/en.yml @@ -1033,6 +1033,34 @@ en: link_support: contact us through our Support and Feedback form link_tos: Terms of Service welcome_text: Hi! It looks like you've just logged into the Archive for the first time. %{help_link} or dismiss this message permanently. + sidebar: + catch: + history: History + inbox: Inbox (%{inbox_number}) + statistics: Statistics + subscriptions: Subscriptions + choices: + all_pseuds: All Pseuds (%{pseud_number}) + dashboard: Dashboard + preferences: Preferences + profile: Profile + pseud_switcher: Pseud Switcher + pseuds: Pseuds + skins: Skins + landmark: + catch: Catch + choices: Choices + pitch: Pitch + switch: Switch + pitch: + collections: Collections (%{coll_number}) + drafts: Drafts (%{drafts_number}) + switch: + assignments: Assignments (%{assignment_number}) + claims: Claims (%{claim_number}) + co_creator_requests: Co-Creator Requests (%{count}) + related_works: Related Works (%{related_works_number}) + sign_ups: Sign-ups (%{signup_number}) works: adult: caution: This work could have adult content. If you continue, you have agreed that you are willing to see such content. From f3a420302179b29ed3d4aba3fad524bb1b46e1dc Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Mon, 22 Jul 2024 21:24:46 +0500 Subject: [PATCH 07/10] AO3-6709 use i18n standard for admin only access denied error messages --- app/controllers/application_controller.rb | 6 +++--- config/locales/controllers/en.yml | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index b00c2d99a94..8dfd444ec56 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -269,15 +269,15 @@ def access_denied(options ={}) def admin_only_access_denied respond_to do |format| format.html do - flash[:error] = ts("Sorry, only an authorized admin can access the page you were trying to reach.") + flash[:error] = t("admin.access.page_access_denied") redirect_to root_path end format.json do - errors = [ts("Sorry, only an authorized admin can do that.")] + errors = [t("admin.access.action_access_denied")] render json: { errors: errors }, status: :forbidden end format.js do - flash[:error] = ts("Sorry, only an authorized admin can access the page you were trying to reach.") + flash[:error] = t("admin.access.page_access_denied") render js: "window.location.href = '#{root_path}';" end end diff --git a/config/locales/controllers/en.yml b/config/locales/controllers/en.yml index bc8d7c3a86c..3c361cb0f27 100644 --- a/config/locales/controllers/en.yml +++ b/config/locales/controllers/en.yml @@ -8,6 +8,9 @@ en: success: one: "%{count} person from the invite queue is being invited." other: "%{count} people from the invite queue are being invited." + access: + page_access_denied: Sorry, only an authorized admin can access the page you were trying to reach. + action_access_denied: Sorry, only an authorized admin can do that. admin_users: destroy_user_creations: success: All creations by user %{login} have been deleted. From 7f0b3e91e10d312cd514b669fc45597715bd903d Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Mon, 22 Jul 2024 21:42:08 +0500 Subject: [PATCH 08/10] AO3-6709 fix linting issues --- app/views/users/_sidebar.html.erb | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/app/views/users/_sidebar.html.erb b/app/views/users/_sidebar.html.erb index 34b1c0f1b4d..c4c18495316 100644 --- a/app/views/users/_sidebar.html.erb +++ b/app/views/users/_sidebar.html.erb @@ -1,5 +1,5 @@
    " role="navigation region"> -

    <%= t(".landmark.choices")%>

    +

    <%= t(".landmark.choices") %>

    • <%= span_if_current t(".choices.dashboard"), @user %>
    • <%= span_if_current t(".choices.profile"), user_profile_path(@user) %>
      • @@ -8,7 +8,7 @@ "><%= t(".choices.pseuds") %> <% end %> @@ -20,11 +20,11 @@
    -

    <%= t(".landmark.pitch")%>

    +

    <%= t(".landmark.pitch") %>

    • <%= works_link(@user, @pseud) %>
      • <% if @user == current_user || logged_in_as_admin? %> -
    • <%= span_if_current t(".pitch.drafts", :drafts_number => @user.unposted_works.size), drafts_user_works_path(@user) %>
      • +
    • <%= span_if_current t(".pitch.drafts", drafts_number: @user.unposted_works.size), drafts_user_works_path(@user) %>
      • <% end %>
    • <%= series_link(@user, @pseud) %>
      • @@ -32,13 +32,13 @@
    • <%= bookmarks_link(@user, @pseud) %>
      • <% end %> -
    • <%= span_if_current t(".pitch.collections", :coll_number => @user.maintained_collections.count), user_collections_path(@user) %>
      • +
    • <%= span_if_current t(".pitch.collections", coll_number: @user.maintained_collections.count), user_collections_path(@user) %>
    <% if @user == current_user || policy(:dashboard).can_view_inbox_link? %> -

    <%= t(".landmark.catch")%>

    +

    <%= t(".landmark.catch") %>

      -
    • <%= span_if_current t(".catch.inbox", :inbox_number => @user.unread_inbox_comments_count.to_s), user_inbox_path(@user) %>
      • +
    • <%= span_if_current t(".catch.inbox", inbox_number: @user.unread_inbox_comments_count.to_s), user_inbox_path(@user) %>
      • <% if @user == current_user %>
    • <%= span_if_current t(".catch.statistics"), user_stats_path(@user) %>
      • <% if @user.preference.try(:history_enabled?) %> @@ -49,16 +49,16 @@
    <% end %> -

    <%= t(".landmark.switch")%>

    +

    <%= t(".landmark.switch") %>

      <% if @user == current_user %> <% if @user.preference.allow_cocreator %>
    • <%= span_if_current t(".switch.co_creator_requests", count: Creatorship.unapproved.for_user(@user).count), user_creatorships_path(@user) %>
      • <% end %> -
    • <%= span_if_current t(".switch.sign_ups", :signup_number =>@user.challenge_signups.count), user_signups_path(@user) %>
      • -
    • <%= span_if_current t(".switch.assignments", :assignment_number => (@user.offer_assignments.undefaulted.count + @user.pinch_hit_assignments.undefaulted.count)), user_assignments_path(@user) %>
      • -
    • <%= span_if_current t(".switch.claims", :claim_number => (@user.request_claims.unposted.count)), user_claims_path(@user) %>
      • -
    • <%= span_if_current t(".switch.related_works", :related_works_number => (@user.related_works.posted.count + @user.parent_work_relationships.count)), user_related_works_path(@user) %>
      • +
    • <%= span_if_current t(".switch.sign_ups", signup_number: @user.challenge_signups.count), user_signups_path(@user) %>
      • +
    • <%= span_if_current t(".switch.assignments", assignment_number: (@user.offer_assignments.undefaulted.count + @user.pinch_hit_assignments.undefaulted.count)), user_assignments_path(@user) %>
      • +
    • <%= span_if_current t(".switch.claims", claim_number: @user.request_claims.unposted.count), user_claims_path(@user) %>
      • +
    • <%= span_if_current t(".switch.related_works", related_works_number: (@user.related_works.posted.count + @user.parent_work_relationships.count)), user_related_works_path(@user) %>
      • <% end %>
    • <%= gifts_link(@user) %>
    From 41df81d56d6fd15b69e037333408f4365f476265 Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Mon, 22 Jul 2024 22:14:10 +0500 Subject: [PATCH 09/10] AO3-6709 fix issues with renaming variable --- config/locales/controllers/en.yml | 6 ++--- spec/controllers/inbox_controller_spec.rb | 28 +++++++++++------------ 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/config/locales/controllers/en.yml b/config/locales/controllers/en.yml index 3c361cb0f27..60215577add 100644 --- a/config/locales/controllers/en.yml +++ b/config/locales/controllers/en.yml @@ -1,6 +1,9 @@ --- en: admin: + access: + action_access_denied: Sorry, only an authorized admin can do that. + page_access_denied: Sorry, only an authorized admin can access the page you were trying to reach. admin_invitations: find: user_not_found: No results were found. Try another search. @@ -8,9 +11,6 @@ en: success: one: "%{count} person from the invite queue is being invited." other: "%{count} people from the invite queue are being invited." - access: - page_access_denied: Sorry, only an authorized admin can access the page you were trying to reach. - action_access_denied: Sorry, only an authorized admin can do that. admin_users: destroy_user_creations: success: All creations by user %{login} have been deleted. diff --git a/spec/controllers/inbox_controller_spec.rb b/spec/controllers/inbox_controller_spec.rb index c24c640f093..68551d0b3e5 100644 --- a/spec/controllers/inbox_controller_spec.rb +++ b/spec/controllers/inbox_controller_spec.rb @@ -294,36 +294,36 @@ it "marks all as read and redirects to inbox with a notice" do parameters = { user_id: user.login, - inbox_comments: [inbox_comment_1.id, inbox_comment_2.id], + inbox_comments: [inbox_comment1.id, inbox_comment2.id], read: "yeah" } put :update, params: parameters it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") - inbox_comment_1.reload - expect(inbox_comment_1.read).to be_truthy - inbox_comment_2.reload - expect(inbox_comment_2.read).to be_truthy + inbox_comment1.reload + expect(inbox_comment1.read).to be_truthy + inbox_comment2.reload + expect(inbox_comment2.read).to be_truthy end it "marks one as read and redirects to inbox with a notice" do - put :update, params: { user_id: user.login, inbox_comments: [inbox_comment_1.id], read: "yeah" } + put :update, params: { user_id: user.login, inbox_comments: [inbox_comment1.id], read: "yeah" } it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") - inbox_comment_1.reload - expect(inbox_comment_1.read).to be_truthy - inbox_comment_2.reload - expect(inbox_comment_2.read).to be_falsy + inbox_comment1.reload + expect(inbox_comment1.read).to be_truthy + inbox_comment2.reload + expect(inbox_comment2.read).to be_falsy end it "deletes one and redirects to inbox with a notice" do - put :update, params: { user_id: user.login, inbox_comments: [inbox_comment_1.id], delete: "yeah" } + put :update, params: { user_id: user.login, inbox_comments: [inbox_comment1.id], delete: "yeah" } it_redirects_to_with_notice(user_inbox_path(user), "Inbox successfully updated.") - expect(InboxComment.find_by(id: inbox_comment_1.id)).to be_nil - inbox_comment_2.reload - expect(inbox_comment_2.read).to be_falsy + expect(InboxComment.find_by(id: inbox_comment1.id)).to be_nil + inbox_comment2.reload + expect(inbox_comment2.read).to be_falsy end end From edc89f64be39dc0944259691709d40e482606855 Mon Sep 17 00:00:00 2001 From: nisha-shaikh Date: Fri, 20 Sep 2024 17:31:08 +0500 Subject: [PATCH 10/10] AO3-6709 Use single inbox_comment_policy for controlling access to inbox page for admins --- app/policies/dashboard_policy.rb | 7 ------- app/views/users/_sidebar.html.erb | 2 +- spec/controllers/inbox_controller_spec.rb | 14 +++++++------- 3 files changed, 8 insertions(+), 15 deletions(-) delete mode 100644 app/policies/dashboard_policy.rb diff --git a/app/policies/dashboard_policy.rb b/app/policies/dashboard_policy.rb deleted file mode 100644 index 13b7f92d158..00000000000 --- a/app/policies/dashboard_policy.rb +++ /dev/null @@ -1,7 +0,0 @@ -class DashboardPolicy < ApplicationPolicy - VIEW_INBOX_ROLES = %w[superadmin policy_and_abuse].freeze - - def can_view_inbox_link? - user_has_roles?(VIEW_INBOX_ROLES) - end -end diff --git a/app/views/users/_sidebar.html.erb b/app/views/users/_sidebar.html.erb index c4c18495316..a6a8a0295d2 100644 --- a/app/views/users/_sidebar.html.erb +++ b/app/views/users/_sidebar.html.erb @@ -35,7 +35,7 @@
  • <%= span_if_current t(".pitch.collections", coll_number: @user.maintained_collections.count), user_collections_path(@user) %>
    • -<% if @user == current_user || policy(:dashboard).can_view_inbox_link? %> +<% if @user == current_user || policy(:inbox_comment).show? %>

    <%= t(".landmark.catch") %>

    • <%= span_if_current t(".catch.inbox", inbox_number: @user.unread_inbox_comments_count.to_s), user_inbox_path(@user) %>
      • diff --git a/spec/controllers/inbox_controller_spec.rb b/spec/controllers/inbox_controller_spec.rb index 68551d0b3e5..9e29317db9e 100644 --- a/spec/controllers/inbox_controller_spec.rb +++ b/spec/controllers/inbox_controller_spec.rb @@ -20,8 +20,8 @@ end context "when logged in as an admin" do - context "when admin does not have correct authorization" do - context "when admin has no role" do + context "when the admin does not have the correct authorization" do + context "when the admin has no role" do let(:admin) { create(:admin, roles: []) } before { fake_login_admin(admin) } @@ -34,7 +34,7 @@ end (Admin::VALID_ROLES - %w[superadmin policy_and_abuse]).each do |role| - context "when admin has #{role} role" do + context "when the admin has the #{role} role" do let(:admin) { create(:admin, roles: [role]) } before { fake_login_admin(admin) } @@ -49,7 +49,7 @@ end %w[superadmin policy_and_abuse].each do |role| - context "when admin is authorized with the #{role} role" do + context "when the admin is authorized with the #{role} role" do let(:admin) { create(:admin, roles: [role]) } before { fake_login_admin(admin) } @@ -114,7 +114,7 @@ let(:inbox_comment) { create(:inbox_comment, user: user) } it "excludes deleted comments" do - inbox_comment.feedback_comment.destroy + inbox_comment.feedback_comment.destroy! get :show, params: { user_id: user.login } expect(assigns(:inbox_total)).to eq(0) expect(assigns(:unread)).to eq(0) @@ -187,7 +187,7 @@ let(:inbox_comment) { create(:inbox_comment, user: user) } it "excludes deleted comments" do - inbox_comment.feedback_comment.destroy + inbox_comment.feedback_comment.destroy! get :show, params: { user_id: user.login } expect(assigns(:inbox_total)).to eq(0) expect(assigns(:unread)).to eq(0) @@ -267,7 +267,7 @@ end end - context "when logged in as the same user" do + context "when logged in as the comment receiver" do before { fake_login_known_user(user) } context "with no comments selected" do