ManifoldScholar · zdavis · Feb 23, 2024 · Feb 22, 2024 · Feb 22, 2024 · Feb 22, 2024
diff --git a/api/.rubocop.yml b/api/.rubocop.yml
@@ -22,6 +22,7 @@ Metrics/BlockLength:
 
 Metrics/MethodLength:
   Exclude:
+    - "app/controllers/concerns/validation.rb"
     - "app/operations/**/*.rb"
   Max: 15
 
@@ -56,10 +57,15 @@ Layout/EmptyLinesAroundAttributeAccessor:
 Layout/SpaceAroundMethodCallOperator:
   Enabled: true
 
+Layout/EmptyLineAfterGuardClause:
+  Enabled: false
+
 Layout/EmptyLinesAroundClassBody:
   Enabled: false
 
 Layout/LineLength:
+  Exclude:
+    - "app/services/setting_sections/*.rb"
   Max: 140
 
 Layout/BeginEndAlignment: # (new in 0.91)
@@ -164,6 +170,9 @@ Style/BisectedAttrAccessor:
 Style/CaseLikeIf:
   Enabled: true
 
+Style/CharacterLiteral:
+  Enabled: false
+
 Style/ExplicitBlockArgument:
   Enabled: false
 

diff --git a/api/Gemfile b/api/Gemfile
@@ -28,7 +28,7 @@ gem "crass", "~> 1.0.5"
 gem "csl-styles", "~> 1.0"
 gem "cssbeautify"
 gem "css_parser", "~> 1.0"
-gem "dalli", "~> 3.2.3"
+gem "dalli", "2.7.11"
 gem "data_uri", "~> 0.1.0"
 gem "dotenv-rails", "~> 2.0"
 gem "draper", "~> 3.1"
@@ -115,7 +115,7 @@ gem "signet", "~> 0.10"
 gem "sinatra", "~>2.2"
 gem "statesman", "~> 3.4"
 gem "statesman-events", "~> 0.0.1"
-gem "store_model", "~> 0.7.0"
+gem "store_model", "~> 2.2.0"
 gem "strip_attributes", "~> 1.13.0"
 gem "terrapin", "~> 0.6.0"
 gem "tus-server", "~> 2.0"

diff --git a/api/Gemfile.lock b/api/Gemfile.lock
@@ -152,7 +152,7 @@ GEM
     css_parser (1.14.0)
       addressable
     cssbeautify (0.2.0)
-    dalli (3.2.6)
+    dalli (2.7.11)
     data_uri (0.1.0)
     database_cleaner-active_record (2.1.0)
       activerecord (>= 5.a)
@@ -732,7 +732,7 @@ GEM
     statesman (3.5.0)
     statesman-events (0.0.1)
       statesman (>= 1.3)
-    store_model (0.7.0)
+    store_model (2.2.0)
       activerecord (>= 5.2)
     strip_attributes (1.13.0)
       activemodel (>= 3.0, < 8.0)
@@ -832,7 +832,7 @@ DEPENDENCIES
   csl-styles (~> 1.0)
   css_parser (~> 1.0)
   cssbeautify
-  dalli (~> 3.2.3)
+  dalli (= 2.7.11)
   data_uri (~> 0.1.0)
   database_cleaner-active_record (~> 2.1.0)
   database_cleaner-redis (~> 2.0)
@@ -942,7 +942,7 @@ DEPENDENCIES
   spring-watcher-listen (~> 2.1.0)
   statesman (~> 3.4)
   statesman-events (~> 0.0.1)
-  store_model (~> 0.7.0)
+  store_model (~> 2.2.0)
   strip_attributes (~> 1.13.0)
   terrapin (~> 0.6.0)
   test-prof (~> 1.0)

diff --git a/api/app/authorizers/annotation_authorizer.rb b/api/app/authorizers/annotation_authorizer.rb
@@ -1,9 +1,8 @@
-class AnnotationAuthorizer < ApplicationAuthorizer
+# frozen_string_literal: true
 
-  # There are cases where all users can CRUD annotations.
-  def self.default(_able, _user, _options = {})
-    true
-  end
+# @see Annotation
+class AnnotationAuthorizer < ApplicationAuthorizer
+  requires_trusted_or_established_user!
 
   # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
   def creatable_by?(user, _options = {})
@@ -46,6 +45,15 @@ def readable_by?(user, _options = {})
 
   private
 
+  def trusted_or_established_user?(user)
+    user&.created?(resource) || super
+  end
+
+  # Only public annotations need reputation to create.
+  def requires_reputation_to_create?
+    annotation_is_public?
+  end
+
   def user_can_notate_text?(user)
     resource&.text&.notatable_by? user
   end
@@ -74,4 +82,10 @@ def user_is_not_in_reading_group?(user)
     resource.reading_group.users.exclude? user
   end
 
+  class << self
+    # There are cases where all users can CRUD annotations.
+    def default(_able, _user, _options = {})
+      true
+    end
+  end
 end
diff --git a/api/app/authorizers/application_authorizer.rb b/api/app/authorizers/application_authorizer.rb
@@ -1,4 +1,8 @@
+# frozen_string_literal: true
+
 # Other authorizers should subclass this one
+#
+# @abstract
 class ApplicationAuthorizer < Authority::Authorizer
   include ActiveSupport::Configurable
   include SerializableAuthorization
@@ -32,6 +36,13 @@ def known_user?(user)
     user.role.present?
   end
 
+  # @param [User] user
+  def trusted_or_established_user?(user)
+    return false if user.blank?
+
+    user.established? || user.trusted?
+  end
+
   # @param [User] user
   # @param [#projects] resource
   def resource_belongs_to_updatable_project?(user, resource)
@@ -196,5 +207,49 @@ def has_role?(user, role, on: :any)
       user.has_cached_role? role, actual_on
     end
 
+    # Authorizers that should override their create check
+    # in order to ensure that a user has been trusted or
+    # established in the instance in order to create the
+    # associated resource.
+    #
+    # @return [void]
+    def requires_trusted_or_established_user!
+      include RequiresTrustedOrEstablishedUser
+    end
+  end
+
+  # @api private
+  module RequiresTrustedOrEstablishedUser
+    extend ActiveSupport::Concern
+
+    included do
+      prepend RequiresTrustedOrEstablishedUser::WrapperMethods
+    end
+
+    # Override this in authorizers where only certain models
+    # require a reputation in order to create them.
+    #
+    # For instance, public reading groups.
+    # @abstract
+    def requires_reputation_to_create?
+      true
+    end
+
+    # Boolean complement of {#requires_reputation_to_create?},
+    # defined for legibility.
+    def requires_no_reputation_to_create?
+      !requires_reputation_to_create?
+    end
+
+    # This module gets prepended during inclusion
+    #
+    # @api private
+    module WrapperMethods
+      def creatable_by?(user, options = {})
+        return false unless requires_no_reputation_to_create? || trusted_or_established_user?(user)
+
+        super
+      end
+    end
   end
 end
diff --git a/api/app/authorizers/comment_authorizer.rb b/api/app/authorizers/comment_authorizer.rb
@@ -1,11 +1,11 @@
+# frozen_string_literal: true
+
+# @see Comment
 class CommentAuthorizer < ApplicationAuthorizer
+  requires_trusted_or_established_user!
 
   expose_abilities [:read_deleted]
 
-  def self.default(_able, _user, _options = {})
-    true
-  end
-
   def creatable_by?(user, options = {})
     return comment_is_on_readable_annotation_for?(user) if comment_is_on_annotation?
 
@@ -44,4 +44,13 @@ def comment_is_on_annotation?
     resource.on_annotation?
   end
 
+  def trusted_or_established_user?(user)
+    user&.created?(resource) || super
+  end
+
+  class << self
+    def default(_able, _user, _options = {})
+      true
+    end
+  end
 end
diff --git a/api/app/authorizers/reading_group_authorizer.rb b/api/app/authorizers/reading_group_authorizer.rb
@@ -1,4 +1,9 @@
+# frozen_string_literal: true
+
+# @see ReadingGroup
 class ReadingGroupAuthorizer < ApplicationAuthorizer
+  requires_trusted_or_established_user!
+
   def creatable_by?(user, _options = {})
     return false unless known_user?(user)
     return false if reading_groups_disabled?
@@ -24,6 +29,11 @@ def readable_by?(user, _options = {})
 
   private
 
+  # Only public reading groups need reputation to create.
+  def requires_reputation_to_create?
+    resource.public?
+  end
+
   def moderator?(user)
     user.has_role?(:moderator, resource)
   end

diff --git a/api/app/controllers/concerns/authentication.rb b/api/app/controllers/concerns/authentication.rb
@@ -14,16 +14,17 @@ module Authentication
 
   CURRENT_USER_PRELOADS = %w(roles favorites).freeze
 
+  # @param [User, nil]
+  attr_reader :current_user
+
   private
 
   def load_current_user
     @current_user = User.preload(CURRENT_USER_PRELOADS).find(decoded_auth_token[:user_id])
   rescue JWT::DecodeError
     nil
-  end
-
-  def current_user
-    @current_user
+  else
+    RequestStore[:current_user] = @current_user
   end
 
   # This method gets the current user based on the user_id included