[DangerZone] Allow admins to hide pending posts for a specified amount of hours (#760)

2024-11-10 23:22:14 -05:00 · 2024-11-10 23:22:14 -05:00 · cf94b1b827
commit cf94b1b827
parent 0fb0418d7b
7 changed files with 80 additions and 0 deletions
--- a/app/controllers/admin/danger_zone_controller.rb
+++ b/app/controllers/admin/danger_zone_controller.rb
@ -16,5 +16,14 @@ module Admin
      end
      redirect_to admin_danger_zone_index_path
    end
+
+    def hide_pending_posts
+      duration = params[:hide_pending_posts][:duration].to_f
+      if duration >= 0 && duration != DangerZone.hide_pending_posts_for
+        DangerZone.hide_pending_posts_for = duration
+        StaffAuditLog.log(:hide_pending_posts_for, CurrentUser.user, { duration: duration })
+      end
+      redirect_to admin_danger_zone_index_path
+    end
  end
 end
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -26,6 +26,8 @@ class PostsController < ApplicationController
  def show
    @post = Post.find(params[:id])

+    raise User::PrivilegeError.new("Post unavailable") unless DangerZone.post_visible?(@post, CurrentUser.user)
+
    include_deleted = @post.is_deleted? || (@post.parent_id.present? && @post.parent.is_deleted?) || CurrentUser.is_approver?
    @parent_post_set = PostSets::PostRelationship.new(@post.parent_id, :include_deleted => include_deleted, want_parent: true)
    @children_post_set = PostSets::PostRelationship.new(@post.id, :include_deleted => include_deleted, want_parent: false)
--- a/app/logical/danger_zone.rb
+++ b/app/logical/danger_zone.rb
@ -5,6 +5,14 @@ module DangerZone
    user.level < min_upload_level
  end

+  def self.post_visible?(post, user)
+    if hide_pending_posts_for <= 0
+      return true
+    end
+
+    post.uploader_id == user.id || user.is_staff? || !post.is_pending? || post.created_at.before?(hide_pending_posts_for.hours.ago)
+  end
+
  def self.min_upload_level
    (Cache.redis.get("min_upload_level") || User::Levels::MEMBER).to_i
  rescue Redis::CannotConnectError
@ -14,4 +22,14 @@ module DangerZone
  def self.min_upload_level=(min_upload_level)
    Cache.redis.set("min_upload_level", min_upload_level)
  end
+
+  def self.hide_pending_posts_for
+    Cache.redis.get("hide_pending_posts_for").to_f || 0
+  rescue Redis::CannotConnectError
+    PostPruner::DELETION_WINDOW * 24
+  end
+
+  def self.hide_pending_posts_for=(duration)
+    Cache.redis.set("hide_pending_posts_for", duration)
+  end
 end
--- a/app/logical/elastic_post_query_builder.rb
+++ b/app/logical/elastic_post_query_builder.rb
@ -314,5 +314,37 @@ class ElasticPostQueryBuilder < ElasticQueryBuilder
    else
      order.push({id: :desc})
    end
+
+    if !CurrentUser.user.is_staff? && DangerZone.hide_pending_posts_for > 0
+      should = [
+        {
+          range: {
+            created_at: {
+              lte: DangerZone.hide_pending_posts_for.hours.ago,
+            },
+          },
+        },
+        {
+          term: {
+            pending: false,
+          },
+        }
+      ]
+
+      unless CurrentUser.user.id.nil?
+        should.push({
+          term: {
+            uploader: CurrentUser.user.id,
+          },
+        })
+      end
+
+      must.push({
+        bool: {
+          should: should,
+          minimum_should_match: 1,
+        },
+      })
+    end
  end
 end
--- a/app/views/admin/danger_zone/index.html.erb
+++ b/app/views/admin/danger_zone/index.html.erb
@ -7,6 +7,16 @@
      <%= f.input :min_level, collection: User.level_hash.select {|k,v| v >= User::Levels::MEMBER }.to_a, selected: DangerZone.min_upload_level %>
      <%= f.button :submit, value: "Submit" %>
    <% end %>
+    <h2>Pending Posts</h2>
+    <% if DangerZone.hide_pending_posts_for > 0 %>
+      Unapproved posts are currently only visible to staff for <b><%= DangerZone.hide_pending_posts_for %></b> hours.
+    <% else %>
+      Unapproved posts are currently not hidden.
+    <% end %>
+    <%= custom_form_for(:hide_pending_posts, url: hide_pending_posts_admin_danger_zone_index_path, method: :put) do |f| %>
+      <%= f.input :duration, as: :float, hint: "in hours", input_html: { value: DangerZone.hide_pending_posts_for } %>
+      <%= f.button :submit, value: "Submit" %>
+    <% end %>
  </div>
 </div>

--- a/config/routes.rb
+++ b/config/routes.rb
@ -29,6 +29,7 @@ Rails.application.routes.draw do
    resources :danger_zone, only: [:index] do
      collection do
        put :uploading_limits
+        put :hide_pending_posts
      end
    end
  end
--- a/test/functional/admin/danger_zone_controller_test.rb
+++ b/test/functional/admin/danger_zone_controller_test.rb
@ -10,6 +10,7 @@ class Admin::DangerZoneControllerTest < ActionDispatch::IntegrationTest

    teardown do
      DangerZone.min_upload_level = User::Levels::MEMBER
+      DangerZone.hide_pending_posts_for = 0
    end

    context "index action" do
@ -25,5 +26,12 @@ class Admin::DangerZoneControllerTest < ActionDispatch::IntegrationTest
        assert_equal DangerZone.min_upload_level, User::Levels::PRIVILEGED
      end
    end
+
+    context "hide pending posts action" do
+      should "work" do
+        put_auth hide_pending_posts_admin_danger_zone_index_path, @admin, params: { hide_pending_posts: { duration: 24 } }
+        assert_equal DangerZone.hide_pending_posts_for, 24
+      end
+    end
  end
 end