diff --git a/app/controllers/admin/danger_zone_controller.rb b/app/controllers/admin/danger_zone_controller.rb
index 0bbb2a6da..cdfb0708f 100644
--- a/app/controllers/admin/danger_zone_controller.rb
+++ b/app/controllers/admin/danger_zone_controller.rb
@@ -16,5 +16,14 @@ module Admin
end
redirect_to admin_danger_zone_index_path
end
+
+ def hide_pending_posts
+ duration = params[:hide_pending_posts][:duration].to_f
+ if duration >= 0 && duration != DangerZone.hide_pending_posts_for
+ DangerZone.hide_pending_posts_for = duration
+ StaffAuditLog.log(:hide_pending_posts_for, CurrentUser.user, { duration: duration })
+ end
+ redirect_to admin_danger_zone_index_path
+ end
end
end
diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
index a7d7d0fbb..31b6aa2c6 100644
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -26,6 +26,8 @@ class PostsController < ApplicationController
def show
@post = Post.find(params[:id])
+ raise User::PrivilegeError.new("Post unavailable") unless DangerZone.post_visible?(@post, CurrentUser.user)
+
include_deleted = @post.is_deleted? || (@post.parent_id.present? && @post.parent.is_deleted?) || CurrentUser.is_approver?
@parent_post_set = PostSets::PostRelationship.new(@post.parent_id, :include_deleted => include_deleted, want_parent: true)
@children_post_set = PostSets::PostRelationship.new(@post.id, :include_deleted => include_deleted, want_parent: false)
diff --git a/app/logical/danger_zone.rb b/app/logical/danger_zone.rb
index fe251e620..85c42e3ec 100644
--- a/app/logical/danger_zone.rb
+++ b/app/logical/danger_zone.rb
@@ -5,6 +5,14 @@ module DangerZone
user.level < min_upload_level
end
+ def self.post_visible?(post, user)
+ if hide_pending_posts_for <= 0
+ return true
+ end
+
+ post.uploader_id == user.id || user.is_staff? || !post.is_pending? || post.created_at.before?(hide_pending_posts_for.hours.ago)
+ end
+
def self.min_upload_level
(Cache.redis.get("min_upload_level") || User::Levels::MEMBER).to_i
rescue Redis::CannotConnectError
@@ -14,4 +22,14 @@ module DangerZone
def self.min_upload_level=(min_upload_level)
Cache.redis.set("min_upload_level", min_upload_level)
end
+
+ def self.hide_pending_posts_for
+ Cache.redis.get("hide_pending_posts_for").to_f || 0
+ rescue Redis::CannotConnectError
+ PostPruner::DELETION_WINDOW * 24
+ end
+
+ def self.hide_pending_posts_for=(duration)
+ Cache.redis.set("hide_pending_posts_for", duration)
+ end
end
diff --git a/app/logical/elastic_post_query_builder.rb b/app/logical/elastic_post_query_builder.rb
index 8a61c92de..fd73fdc83 100644
--- a/app/logical/elastic_post_query_builder.rb
+++ b/app/logical/elastic_post_query_builder.rb
@@ -314,5 +314,37 @@ class ElasticPostQueryBuilder < ElasticQueryBuilder
else
order.push({id: :desc})
end
+
+ if !CurrentUser.user.is_staff? && DangerZone.hide_pending_posts_for > 0
+ should = [
+ {
+ range: {
+ created_at: {
+ lte: DangerZone.hide_pending_posts_for.hours.ago,
+ },
+ },
+ },
+ {
+ term: {
+ pending: false,
+ },
+ }
+ ]
+
+ unless CurrentUser.user.id.nil?
+ should.push({
+ term: {
+ uploader: CurrentUser.user.id,
+ },
+ })
+ end
+
+ must.push({
+ bool: {
+ should: should,
+ minimum_should_match: 1,
+ },
+ })
+ end
end
end
diff --git a/app/views/admin/danger_zone/index.html.erb b/app/views/admin/danger_zone/index.html.erb
index b1a883df6..5bf57b1c4 100644
--- a/app/views/admin/danger_zone/index.html.erb
+++ b/app/views/admin/danger_zone/index.html.erb
@@ -7,6 +7,16 @@
<%= f.input :min_level, collection: User.level_hash.select {|k,v| v >= User::Levels::MEMBER }.to_a, selected: DangerZone.min_upload_level %>
<%= f.button :submit, value: "Submit" %>
<% end %>
+ Pending Posts
+ <% if DangerZone.hide_pending_posts_for > 0 %>
+ Unapproved posts are currently only visible to staff for <%= DangerZone.hide_pending_posts_for %> hours.
+ <% else %>
+ Unapproved posts are currently not hidden.
+ <% end %>
+ <%= custom_form_for(:hide_pending_posts, url: hide_pending_posts_admin_danger_zone_index_path, method: :put) do |f| %>
+ <%= f.input :duration, as: :float, hint: "in hours", input_html: { value: DangerZone.hide_pending_posts_for } %>
+ <%= f.button :submit, value: "Submit" %>
+ <% end %>
diff --git a/config/routes.rb b/config/routes.rb
index 3d529365d..55fa01dd9 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -29,6 +29,7 @@ Rails.application.routes.draw do
resources :danger_zone, only: [:index] do
collection do
put :uploading_limits
+ put :hide_pending_posts
end
end
end
diff --git a/test/functional/admin/danger_zone_controller_test.rb b/test/functional/admin/danger_zone_controller_test.rb
index d2f38623e..b1804f454 100644
--- a/test/functional/admin/danger_zone_controller_test.rb
+++ b/test/functional/admin/danger_zone_controller_test.rb
@@ -10,6 +10,7 @@ class Admin::DangerZoneControllerTest < ActionDispatch::IntegrationTest
teardown do
DangerZone.min_upload_level = User::Levels::MEMBER
+ DangerZone.hide_pending_posts_for = 0
end
context "index action" do
@@ -25,5 +26,12 @@ class Admin::DangerZoneControllerTest < ActionDispatch::IntegrationTest
assert_equal DangerZone.min_upload_level, User::Levels::PRIVILEGED
end
end
+
+ context "hide pending posts action" do
+ should "work" do
+ put_auth hide_pending_posts_admin_danger_zone_index_path, @admin, params: { hide_pending_posts: { duration: 24 } }
+ assert_equal DangerZone.hide_pending_posts_for, 24
+ end
+ end
end
end