2015-12-23 02:04:40 +05:30
|
|
|
module Banzai
|
|
|
|
|
module Filter
|
2015-10-24 18:46:33 +05:30
|
|
|
# HTML filter that removes references to records that the current user does
|
|
|
|
|
# not have permission to view.
|
|
|
|
|
#
|
|
|
|
|
# Expected to be run in its own post-processing pipeline.
|
|
|
|
|
#
|
|
|
|
|
class RedactorFilter < HTML::Pipeline::Filter
|
|
|
|
|
def call
|
2016-01-14 18:37:52 +05:30
|
|
|
Querying.css(doc, 'a.gfm').each do |node|
|
|
|
|
|
unless user_can_see_reference?(node)
|
2015-12-23 02:04:40 +05:30
|
|
|
# The reference should be replaced by the original text,
|
|
|
|
|
# which is not always the same as the rendered text.
|
|
|
|
|
text = node.attr('data-original') || node.text
|
|
|
|
|
node.replace(text)
|
2015-10-24 18:46:33 +05:30
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
doc
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
2016-01-14 18:37:52 +05:30
|
|
|
def user_can_see_reference?(node)
|
2015-10-24 18:46:33 +05:30
|
|
|
if node.has_attribute?('data-reference-filter')
|
|
|
|
|
reference_type = node.attr('data-reference-filter')
|
2015-12-23 02:04:40 +05:30
|
|
|
reference_filter = Banzai::Filter.const_get(reference_type)
|
2015-10-24 18:46:33 +05:30
|
|
|
|
2016-01-14 18:37:52 +05:30
|
|
|
reference_filter.user_can_see_reference?(current_user, node, context)
|
2015-10-24 18:46:33 +05:30
|
|
|
else
|
|
|
|
|
true
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def current_user
|
|
|
|
|
context[:current_user]
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
