diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index ef4c0a778dc..767bdefa511 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -54,6 +54,7 @@ def initialize(user) can [:index, :create, :destroy], UserMute if user.moderator? + can :show_redactions, [:browse, OldNode, OldWay, OldRelation] can [:hide, :unhide, :hidecomment, :unhidecomment], DiaryEntry can [:index, :show, :resolve, :ignore, :reopen], Issue can :create, IssueComment diff --git a/app/controllers/browse_controller.rb b/app/controllers/browse_controller.rb index db291f6eb89..03ce13c0348 100644 --- a/app/controllers/browse_controller.rb +++ b/app/controllers/browse_controller.rb @@ -6,7 +6,7 @@ class BrowseController < ApplicationController before_action -> { check_database_readable(:need_api => true) } before_action :require_oauth before_action :update_totp, :only => [:query] - before_action :require_moderator_for_unredacted_history, :only => [:relation_history, :way_history, :node_history] + before_action -> { authorize! :show_redactions, :browse if params[:show_redactions] }, :only => [:relation_history, :way_history, :node_history] around_action :web_timeout authorize_resource :class => false @@ -59,10 +59,4 @@ def node_history end def query; end - - private - - def require_moderator_for_unredacted_history - deny_access(nil) if params[:show_redactions] && !current_user&.moderator? - end end diff --git a/app/controllers/old_nodes_controller.rb b/app/controllers/old_nodes_controller.rb index 9ef2ef88167..108e196a19c 100644 --- a/app/controllers/old_nodes_controller.rb +++ b/app/controllers/old_nodes_controller.rb @@ -7,8 +7,8 @@ class OldNodesController < ApplicationController before_action :require_oauth authorize_resource + before_action -> { authorize! :show_redactions, OldNode if params[:show_redactions] } - before_action :require_moderator_for_unredacted_history around_action :web_timeout def show @@ -17,10 +17,4 @@ def show rescue ActiveRecord::RecordNotFound render :action => "not_found", :status => :not_found end - - private - - def require_moderator_for_unredacted_history - deny_access(nil) if params[:show_redactions] && !current_user&.moderator? - end end diff --git a/app/controllers/old_relations_controller.rb b/app/controllers/old_relations_controller.rb index b9e151a4fd8..31e2928fc76 100644 --- a/app/controllers/old_relations_controller.rb +++ b/app/controllers/old_relations_controller.rb @@ -7,8 +7,8 @@ class OldRelationsController < ApplicationController before_action :require_oauth authorize_resource + before_action -> { authorize! :show_redactions, OldRelation if params[:show_redactions] } - before_action :require_moderator_for_unredacted_history around_action :web_timeout def show @@ -17,10 +17,4 @@ def show rescue ActiveRecord::RecordNotFound render :action => "not_found", :status => :not_found end - - private - - def require_moderator_for_unredacted_history - deny_access(nil) if params[:show_redactions] && !current_user&.moderator? - end end diff --git a/app/controllers/old_ways_controller.rb b/app/controllers/old_ways_controller.rb index dd3c3279fd4..16ab82319ce 100644 --- a/app/controllers/old_ways_controller.rb +++ b/app/controllers/old_ways_controller.rb @@ -7,8 +7,8 @@ class OldWaysController < ApplicationController before_action :require_oauth authorize_resource + before_action -> { authorize! :show_redactions, OldWay if params[:show_redactions] } - before_action :require_moderator_for_unredacted_history around_action :web_timeout def show @@ -17,10 +17,4 @@ def show rescue ActiveRecord::RecordNotFound render :action => "not_found", :status => :not_found end - - private - - def require_moderator_for_unredacted_history - deny_access(nil) if params[:show_redactions] && !current_user&.moderator? - end end