Merge pull request #626 from metamaps/bug/detached

shouldn't reference relatives that are connected in private ways
2016-09-05 11:58:08 +08:00 · 2016-09-05 11:58:08 +08:00 · 8d372f780d
commit 8d372f780d
parent 4a2f3203bd 3e38fba215
2 changed files with 10 additions and 16 deletions
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -24,10 +24,8 @@ class TopicsController < ApplicationController

    respond_to do |format|
      format.html do
-        @alltopics = [@topic].concat(policy_scope(Topic.relatives1(@topic.id)).to_a).concat(policy_scope(Topic.relatives2(@topic.id)).to_a)
+        @alltopics = [@topic].concat(policy_scope(Topic.relatives(@topic.id, current_user)).to_a)
        @allsynapses = policy_scope(Synapse.for_topic(@topic.id)).to_a
-        puts @alltopics.length
-        puts @allsynapses.length
        @allcreators = @alltopics.map(&:user).uniq
        @allcreators += @allsynapses.map(&:user).uniq

@ -42,7 +40,7 @@ class TopicsController < ApplicationController
    @topic = Topic.find(params[:id])
    authorize @topic

-    @alltopics = [@topic].concat(policy_scope(Topic.relatives1(@topic.id)).to_a).concat(policy_scope(Topic.relatives2(@topic.id)).to_a)
+    @alltopics = [@topic].concat(policy_scope(Topic.relatives(@topic.id, current_user)).to_a)
    @allsynapses = policy_scope(Synapse.for_topic(@topic.id))

    @allcreators = @alltopics.map(&:user).uniq
@ -66,7 +64,7 @@ class TopicsController < ApplicationController

    topicsAlreadyHas = params[:network] ? params[:network].split(',').map(&:to_i) : []

-    @alltopics = policy_scope(Topic.relatives1(@topic.id)).to_a.concat(policy_scope(Topic.relatives2(@topic.id)).to_a).uniq
+    @alltopics = policy_scope(Topic.relatives(@topic.id, current_user)).to_a
    @alltopics.delete_if do |topic|
      !topicsAlreadyHas.index(topic.id).nil?
    end
@ -88,7 +86,7 @@ class TopicsController < ApplicationController

    topicsAlreadyHas = params[:network] ? params[:network].split(',').map(&:to_i) : []

-    alltopics = policy_scope(Topic.relatives1(@topic.id)).to_a.concat(policy_scope(Topic.relatives2(@topic.id)).to_a).uniq
+    alltopics = policy_scope(Topic.relatives(@topic.id)).to_a
    alltopics.delete_if do |topic|
      !topicsAlreadyHas.index(topic.id.to_s).nil?
    end
--- a/app/models/topic.rb
+++ b/app/models/topic.rb
@ -42,16 +42,12 @@ class Topic < ActiveRecord::Base
    topics1 + topics2
  end

-  scope :relatives1, ->(topic_id = nil) {
-    includes(:topics1)
-      .where('synapses.node1_id = ?', topic_id)
-      .references(:synapses)
-  }
-
-  scope :relatives2, ->(topic_id = nil) {
-    includes(:topics2)
-      .where('synapses.node2_id = ?', topic_id)
-      .references(:synapses)
+  scope :relatives, ->(topic_id = nil, user = nil) {
+    # should only see topics through *visible* synapses
+    # e.g. Topic A (commons) -> synapse (private) -> Topic B (commons) must be filtered out
+    synapses = Pundit.policy_scope(user, Synapse.where(node1_id: topic_id)).pluck(:node2_id)
+    synapses += Pundit.policy_scope(user, Synapse.where(node2_id: topic_id)).pluck(:node1_id)
+    where(id: synapses.uniq)
  }

  delegate :name, to: :user, prefix: true