From 1b63a8392671ae47e6ec22ad272ac839c65d4834 Mon Sep 17 00:00:00 2001
From: robdy <15113729+robdy@users.noreply.github.com>
Date: Mon, 18 Jun 2018 10:58:22 +0200
Subject: [PATCH] Allow Post Mods to view mod notes (#628)

---
 api/policies/isPostMod.js       | 1 +
 api/services/Users.js           | 2 +-
 assets/views/home/modEdit.ejs   | 6 +++---
 assets/views/home/reference.ejs | 4 ++--
 config/policies.js              | 6 ++++++
 5 files changed, 13 insertions(+), 6 deletions(-)
 create mode 100644 api/policies/isPostMod.js

diff --git a/api/policies/isPostMod.js b/api/policies/isPostMod.js
new file mode 100644
index 00000000..4058247e
--- /dev/null
+++ b/api/policies/isPostMod.js
@@ -0,0 +1 @@
+module.exports = (req, res, next) => (Users.hasModPermission(req.user, 'posts') && Users.hasModPermission(req.user, 'wiki')) ? next() : res.forbidden("Not post mod");
diff --git a/api/services/Users.js b/api/services/Users.js
index 552122fe..ed8416e8 100644
--- a/api/services/Users.js
+++ b/api/services/Users.js
@@ -28,7 +28,7 @@ exports.get = async function (requester, username) {
     user.comments = result;
   }));
 
-  if (Users.hasModPermission(requester, 'access')) {
+  if (Users.hasModPermission(requester, 'posts') && Users.hasModPermission(requester, 'wiki')) {
     promises.push(ModNote.find({refUser: user.name}).sort({createdAt: 'desc'}).then(function (result) {
       user.modNotes = result;
     }));
diff --git a/assets/views/home/modEdit.ejs b/assets/views/home/modEdit.ejs
index d673ee91..3214be8d 100644
--- a/assets/views/home/modEdit.ejs
+++ b/assets/views/home/modEdit.ejs
@@ -17,7 +17,7 @@
                 <a ng-href="/u/{{note.user}}">{{note.user}}</a>
                 <span class="pull-right">
                   {{note.createdAt | date: "medium"}}
-                  <a href="#" ng-click="delNote(note.id)">
+                  <a ng-controller="referenceCtrl" ng-if="user.isMod && user.modPermissions && user.modPermissions.includes('all')" href="#" ng-click="delNote(note.id)">
                     <span class="glyphicon glyphicon-trash"></span>
                   </a>
                 </span>
@@ -27,7 +27,7 @@
               </div>
             </div>
           </div>
-          <div class="form-group">
+          <div class="form-group" ng-if="user.isMod && user.modPermissions && user.modPermissions.includes('all')">
             <textarea class="form-control" ng-model="newStuff.newNote" ng-trim="false"
                       placeholder="Add Note with markdown"></textarea>
             <div class="panel panel-default">
@@ -42,7 +42,7 @@
     </div>
 
 
-    <div class="col-md-6">
+    <div class="col-md-6" ng-if="user.isMod && user.modPermissions && user.modPermissions.includes('all')">
       <div class="form-group">
         <label class="col-sm-3 control-label">Introduction:</label>
 
diff --git a/assets/views/home/reference.ejs b/assets/views/home/reference.ejs
index 5b5978b0..58f73e3a 100644
--- a/assets/views/home/reference.ejs
+++ b/assets/views/home/reference.ejs
@@ -32,7 +32,7 @@
         <li class="active"><a href="#references" role="tab" data-toggle="tab">References</a></li>
         <li><a href="#comments" role="tab" data-toggle="tab">Comments ({{refUser.comments.length}})</a></li>
         <li><a href="#info" role="tab" data-toggle="tab">Information</a></li>
-        <li ng-if="user.isMod && user.modPermissions && user.modPermissions.includes('all')"><a href="#modEdit" role="tab" data-toggle="tab">Moderation ({{refUser.modNotes.length}})</a></li>
+        <li ng-if="user.isMod && user.modPermissions && (user.modPermissions.includes('all')  || (user.modPermissions.includes('posts') && user.modPermissions.includes('wiki')))"><a href="#modEdit" role="tab" data-toggle="tab">Moderation ({{refUser.modNotes.length}})</a></li>
       </ul>
 
       <div class="tab-content">
@@ -75,7 +75,7 @@
         <div class="tab-pane" id="info">
           <%- partial('profileInfo.ejs') %>
         </div>
-        <div class="tab-pane" id="modEdit" ng-if="user.isMod && user.modPermissions.includes('all')">
+        <div class="tab-pane" id="modEdit" ng-if="user.isMod && (user.modPermissions.includes('all') || (user.modPermissions.includes('posts') && user.modPermissions.includes('wiki')))">
           <%- partial('modEdit.ejs') %>
         </div>
       </div>
diff --git a/config/policies.js b/config/policies.js
index c1f62de2..ecceb1e6 100644
--- a/config/policies.js
+++ b/config/policies.js
@@ -19,6 +19,7 @@
 const anyone = ['passport'];
 const user = ['passport', 'sessionAuth'];
 const flairMod = ['passport', 'sessionAuth', 'isFlairMod'];
+const postMod = ['passport', 'sessionAuth', 'isPostMod'];
 const admin = ['passport', 'sessionAuth', 'isAdmin'];
 
 module.exports.policies = {
@@ -75,5 +76,10 @@ module.exports.policies = {
     edit: user,
     mine: user,
     get: anyone
+  },
+  
+  ModNoteController: {
+    '*': admin,
+    find: postMod
   }
 };