Disallow creating questions when blocked by the user being asked

2022-04-18 20:57:54 +01:00 · 2022-04-18 20:57:54 +01:00 · 9f06b48569
parent 0038272417
commit 9f06b48569
2 changed files with 24 additions and 6 deletions
--- a/app/controllers/ajax/question_controller.rb
+++ b/app/controllers/ajax/question_controller.rb
@ -1,3 +1,5 @@
+require 'errors'
+
 class Ajax::QuestionController < AjaxController
  def destroy
    params.require :question
@ -53,21 +55,25 @@ class Ajax::QuestionController < AjaxController
    if params[:rcpt] == 'followers'
      QuestionWorker.perform_async(current_user.id, question.id) unless current_user.nil?
    else
-      u = User.find_by_id(params[:rcpt])
-      if u.nil?
+      target_user = User.find_by(id: params[:rcpt])
+
+      raise Errors::AskingOtherBlockedSelf if target_user.blocking?(current_user)
+      raise Errors::AskingSelfBlockedOther if current_user.blocking?(target_user)
+
+      if target_user.nil?
        @response[:status] = :not_found
        @response[:message] = I18n.t('messages.question.create.not_found')
        question.delete
        return
      end

-      if !u.privacy_allow_anonymous_questions && question.author_is_anonymous
+      if !target_user.privacy_allow_anonymous_questions && question.author_is_anonymous
        question.delete
        return
      end

-      unless MuteRule.where(user: u).any? { |rule| rule.applies_to? question }
-        Inbox.create!(user_id: u.id, question_id: question.id, new: true)
+      unless MuteRule.where(user: target_user).any? { |rule| rule.applies_to? question }
+        Inbox.create!(user_id: target_user.id, question_id: question.id, new: true)
      end
    end

--- a/app/controllers/ajax_controller.rb
+++ b/app/controllers/ajax_controller.rb
@ -66,6 +66,18 @@ class AjaxController < ApplicationController
    return_response
  end

+  rescue_from(Errors::Base) do |e|
+    Sentry.capture_exception(e)
+
+    @response = {
+      success: false,
+      message: I18n.t(e.locale_tag),
+      status:  e.code
+    }
+
+    return_response
+  end
+
  def find_active_announcements
    # We do not need announcements here
  end
@ -86,7 +98,7 @@ class AjaxController < ApplicationController
    #
    # Q: Why do we always return 200?
    # A: Because JQuery might not do things we want it to if we don't.
-    response.status = 200
+    response.status = @status || 200
    response.headers["Content-Type"] = "application/json"
    response.body = @response.to_json
  end