Implement authorisation for project comments

Issue reported by @ranjit-git on https://huntr.dev/bounties/8fdd2c80-5ed5-4278-bd1a-b7a37bc8c167/
CircuitVerse · Aug 24, 2021 · 13d4cc6 · 13d4cc6
1 parent 29a08c5
commit 13d4cc6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/app/models/project.rb b/app/models/project.rb
@@ -137,6 +137,10 @@ def tag_list=(names)
     end
   end
 
+  def public?
+    project_access_type == "Public"
+  end
+
   def featured?
     project_access_type == "Public" && FeaturedCircuit.exists?(project_id: id)
   end

diff --git a/config/initializers/commontator.rb b/config/initializers/commontator.rb
@@ -105,15 +105,19 @@
   # Returns: a Boolean, true if and only if the user should be allowed to read that thread
   # Note: can be called with a user object that is nil (if they are not logged in)
   # Default: ->(thread, user) { true } (anyone can read any thread)
-  config.thread_read_proc = ->(thread, user) { true }
+  config.thread_read_proc = ->(thread, user) { 
+    return true if thread.commontable.public?
+
+    ProjectPolicy.new(user, thread.commontable).check_view_access?
+  }
 
   # thread_moderator_proc
   # Type: Proc
   # Arguments: a thread (Commontator::Thread), a user (acts_as_commontator)
   # Returns: a Boolean, true if and only if the user is a moderator for that thread
   # If you want global moderators, make this proc true for them regardless of thread
   # Default: ->(thread, user) { false } (no moderators)
-  config.thread_moderator_proc = ->(thread, user) { false }
+  config.thread_moderator_proc = ->(thread, user) { user.admin? }
 
   # comment_editing
   # Type: Symbol