From 9f06b48569d791dfe67d1cca3094a92b3f5d9361 Mon Sep 17 00:00:00 2001
From: Karina Kwiatek <kjk@kjk.dog>
Date: Mon, 18 Apr 2022 20:57:54 +0100
Subject: [PATCH] Disallow creating questions when blocked by the user being
 asked

---
 app/controllers/ajax/question_controller.rb | 16 +++++++++++-----
 app/controllers/ajax_controller.rb          | 14 +++++++++++++-
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/app/controllers/ajax/question_controller.rb b/app/controllers/ajax/question_controller.rb
index 9a140bef..ebd84dd5 100644
--- a/app/controllers/ajax/question_controller.rb
+++ b/app/controllers/ajax/question_controller.rb
@@ -1,3 +1,5 @@
+require 'errors'
+
 class Ajax::QuestionController < AjaxController
   def destroy
     params.require :question
@@ -53,21 +55,25 @@ class Ajax::QuestionController < AjaxController
     if params[:rcpt] == 'followers'
       QuestionWorker.perform_async(current_user.id, question.id) unless current_user.nil?
     else
-      u = User.find_by_id(params[:rcpt])
-      if u.nil?
+      target_user = User.find_by(id: params[:rcpt])
+
+      raise Errors::AskingOtherBlockedSelf if target_user.blocking?(current_user)
+      raise Errors::AskingSelfBlockedOther if current_user.blocking?(target_user)
+
+      if target_user.nil?
         @response[:status] = :not_found
         @response[:message] = I18n.t('messages.question.create.not_found')
         question.delete
         return
       end
 
-      if !u.privacy_allow_anonymous_questions && question.author_is_anonymous
+      if !target_user.privacy_allow_anonymous_questions && question.author_is_anonymous
         question.delete
         return
       end
 
-      unless MuteRule.where(user: u).any? { |rule| rule.applies_to? question }
-        Inbox.create!(user_id: u.id, question_id: question.id, new: true)
+      unless MuteRule.where(user: target_user).any? { |rule| rule.applies_to? question }
+        Inbox.create!(user_id: target_user.id, question_id: question.id, new: true)
       end
     end
 
diff --git a/app/controllers/ajax_controller.rb b/app/controllers/ajax_controller.rb
index d5bf4b33..9d072c7c 100644
--- a/app/controllers/ajax_controller.rb
+++ b/app/controllers/ajax_controller.rb
@@ -66,6 +66,18 @@ class AjaxController < ApplicationController
     return_response
   end
 
+  rescue_from(Errors::Base) do |e|
+    Sentry.capture_exception(e)
+
+    @response = {
+      success: false,
+      message: I18n.t(e.locale_tag),
+      status:  e.code
+    }
+
+    return_response
+  end
+
   def find_active_announcements
     # We do not need announcements here
   end
@@ -86,7 +98,7 @@ class AjaxController < ApplicationController
     #
     # Q: Why do we always return 200?
     # A: Because JQuery might not do things we want it to if we don't.
-    response.status = 200
+    response.status = @status || 200
     response.headers["Content-Type"] = "application/json"
     response.body = @response.to_json
   end