diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2016-05-06 17:50:31 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2016-05-11 20:12:32 +0300 |
commit | 6e62eb01665ca69933600fe977e35cb36804dace (patch) | |
tree | f7c413675c2ce6633f3383348cb0a74219828d9b | |
parent | 12553ce894dd8948fd8aa2ddd25c99d39f8cf4bc (diff) |
Fixed RedactorFilter for new reference checking
The RedactorFilter class now uses the new batch based reference checking
setup to filter out any nodes a user is not supposed to see.
-rw-r--r-- | lib/banzai/filter/redactor_filter.rb | 27 | ||||
-rw-r--r-- | lib/banzai/reference_parser/parser.rb | 2 | ||||
-rw-r--r-- | lib/banzai/reference_parser/user_parser.rb | 8 |
3 files changed, 24 insertions, 13 deletions
diff --git a/lib/banzai/filter/redactor_filter.rb b/lib/banzai/filter/redactor_filter.rb index 613de8d5aca..4586d7fea1b 100644 --- a/lib/banzai/filter/redactor_filter.rb +++ b/lib/banzai/filter/redactor_filter.rb @@ -7,8 +7,11 @@ module Banzai # class RedactorFilter < HTML::Pipeline::Filter def call - Querying.css(doc, 'a.gfm').each do |node| - unless user_can_see_reference?(node) + nodes = Querying.css(doc, 'a.gfm[data-reference-type]') + visible = nodes_visible_to_user(nodes) + + nodes.each do |node| + unless visible.include?(node) # The reference should be replaced by the original text, # which is not always the same as the rendered text. text = node.attr('data-original') || node.text @@ -21,15 +24,21 @@ module Banzai private - def user_can_see_reference?(node) - if node.has_attribute?('data-reference-type') - reference_type = node.attr('data-reference-type') - parser = Banzai::ReferenceParser[reference_type].new(nil, current_user) + def nodes_visible_to_user(nodes) + per_type = Hash.new { |h, k| h[k] = [] } + visible = Set.new - parser.user_can_see_reference?(current_user, node) - else - true + nodes.each do |node| + per_type[node.attr('data-reference-type')] << node end + + per_type.each do |type, nodes| + parser = Banzai::ReferenceParser[type].new(nil, current_user) + + visible.merge(parser.nodes_visible_to_user(current_user, nodes)) + end + + visible end def current_user diff --git a/lib/banzai/reference_parser/parser.rb b/lib/banzai/reference_parser/parser.rb index 0b025e8ee6c..3a21955868c 100644 --- a/lib/banzai/reference_parser/parser.rb +++ b/lib/banzai/reference_parser/parser.rb @@ -29,7 +29,7 @@ module Banzai if node.has_attribute?(project_attr) node_project = projects[node.attr(project_attr).to_i] - if node_project && node_project.id == project.id + if node_project && project && node_project.id == project.id true else Ability.abilities.allowed?(user, :read_project, node_project) diff --git a/lib/banzai/reference_parser/user_parser.rb b/lib/banzai/reference_parser/user_parser.rb index 7df8e459187..a10ae7d7fee 100644 --- a/lib/banzai/reference_parser/user_parser.rb +++ b/lib/banzai/reference_parser/user_parser.rb @@ -30,10 +30,12 @@ module Banzai nodes.each do |node| if node.has_attribute?(group_attr) - node_group = groups.fetch(node.attr(group_attr).to_i) - allowed = Ability.abilities.allowed?(user, :read_group, node_group) + node_group = groups[node.attr(group_attr).to_i] - visible << node if allowed + if node_group && + Ability.abilities.allowed?(user, :read_group, node_group) + visible << node + end # Remaining nodes will be processed by the parent class' # implementation of this method. else |