From 13d4cc621dc5eee39537f26a4a2b22cb15f4362e Mon Sep 17 00:00:00 2001
From: Aboobacker MK <aboobackervyd@gmail.com>
Date: Tue, 24 Aug 2021 22:48:26 +0530
Subject: [PATCH] Implement authorisation for project comments

Issue reported by @ranjit-git on https://huntr.dev/bounties/8fdd2c80-5ed5-4278-bd1a-b7a37bc8c167/
---
 app/models/project.rb              | 4 ++++
 config/initializers/commontator.rb | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/app/models/project.rb b/app/models/project.rb
index 3456e134dc..e107e52174 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -137,6 +137,10 @@ def tag_list=(names)
     end
   end
 
+  def public?
+    project_access_type == "Public"
+  end
+
   def featured?
     project_access_type == "Public" && FeaturedCircuit.exists?(project_id: id)
   end
diff --git a/config/initializers/commontator.rb b/config/initializers/commontator.rb
index 5e1b1d8d45..b9a95c8fb5 100644
--- a/config/initializers/commontator.rb
+++ b/config/initializers/commontator.rb
@@ -105,7 +105,11 @@
   # Returns: a Boolean, true if and only if the user should be allowed to read that thread
   # Note: can be called with a user object that is nil (if they are not logged in)
   # Default: ->(thread, user) { true } (anyone can read any thread)
-  config.thread_read_proc = ->(thread, user) { true }
+  config.thread_read_proc = ->(thread, user) { 
+    return true if thread.commontable.public?
+
+    ProjectPolicy.new(user, thread.commontable).check_view_access?
+  }
 
   # thread_moderator_proc
   # Type: Proc
@@ -113,7 +117,7 @@
   # Returns: a Boolean, true if and only if the user is a moderator for that thread
   # If you want global moderators, make this proc true for them regardless of thread
   # Default: ->(thread, user) { false } (no moderators)
-  config.thread_moderator_proc = ->(thread, user) { false }
+  config.thread_moderator_proc = ->(thread, user) { user.admin? }
 
   # comment_editing
   # Type: Symbol