Projects: set abuse threshold for project assets

apps/script/generateSharedConstants.rb

@@ -57,7 +57,7 @@ def generate_multiple_constants(shared_const_names, *options)
 def parse_raw(raw)
   if raw.is_a?(OpenStruct)
     raw.marshal_dump
-  elsif raw.is_a?(Hash) || raw.is_a?(Array)
+  elsif raw.is_a?(Hash) || raw.is_a?(Array) || raw.is_a?(Integer)
     raw
   elsif raw.is_a?(String)
     JSON.parse(raw)
@@ -78,6 +78,7 @@ def main
     ALL_PUBLISHABLE_PROJECT_TYPES
     CONDITIONALLY_PUBLISHABLE_PROJECT_TYPES
     ALLOWED_WEB_REQUEST_HEADERS
+    ABUSE_CONSTANTS
   )
 
   generate_shared_js_file(shared_content, "#{REPO_DIR}/apps/src/util/sharedConstants.js")

apps/src/code-studio/initApp/project.js

@@ -5,11 +5,12 @@ import * as utils from '../../utils';
 import {CIPHER, ALPHABET} from '../../constants';
 import {files as filesApi} from '../../clientApi';
 import firehoseClient from '@cdo/apps/lib/util/firehose';
+import {AbuseConstants} from '@cdo/apps/util/sharedConstants';
 
 // Attempt to save projects every 30 seconds
 var AUTOSAVE_INTERVAL = 30 * 1000;
 
-var ABUSE_THRESHOLD = 15;
+var ABUSE_THRESHOLD = AbuseConstants.ABUSE_THRESHOLD;
 
 var hasProjectChanged = false;
 

lib/cdo/shared_constants.rb

@@ -3,7 +3,7 @@
 
 # This is the source of truth for a set of constants that are shared between JS
 # and ruby code. generateSharedConstants.rb is the file that processes this and
-# outputs JS. It is run via `grunt exec:generateSharedConstants` from the app
+# outputs JS. It is run via `grunt exec:generateSharedConstants` from the apps
 # directory.
 #
 # Many of these constants exist in other files. Changes to this file often should
@@ -78,6 +78,11 @@ module SharedConstants
     }
   )
 
+  # Projects with an abuse score over this threshold will be blocked.
+  ABUSE_CONSTANTS = OpenStruct.new(
+    {ABUSE_THRESHOLD: 15}
+  )
+
   # This list of project types can be shared by anyone regardless of their age or sharing setting.
   ALWAYS_PUBLISHABLE_PROJECT_TYPES = %w(
     artist

shared/middleware/files_api.rb

@@ -227,7 +227,7 @@ def get_file(endpoint, encrypted_channel_id, filename, code_projects_domain_root
 
     metadata = result[:metadata]
     abuse_score = [metadata['abuse_score'].to_i, metadata['abuse-score'].to_i].max
-    not_found if abuse_score > 0 && !can_view_abusive_assets?(encrypted_channel_id)
+    not_found if abuse_score >= SharedConstants::ABUSE_CONSTANTS.ABUSE_THRESHOLD && !can_view_abusive_assets?(encrypted_channel_id)
     not_found if profanity_privacy_violation?(filename, result[:body]) && !can_view_profane_or_pii_assets?(encrypted_channel_id)
     not_found if code_projects_domain_root_route && !codeprojects_can_view?(encrypted_channel_id)
 

shared/test/test_assets.rb

@@ -221,13 +221,27 @@ def test_viewing_abusive_assets
       assert successful?
     end
 
-    # set abuse
+    # set abuse to lower than threshold
     @api.patch_abuse(10)
 
     # owner can view
     @api.get_object(asset_name)
     assert successful?
 
+    # non-owner can view
+    with_session(:non_owner) do
+      non_owner_api = FilesApiTestHelper.new(current_session, 'assets', @channel_id)
+      non_owner_api.get_object(asset_name)
+      assert successful?
+    end
+
+    # set abuse to threshold
+    @api.patch_abuse(15)
+
+    # owner can view
+    @api.get_object(asset_name)
+    assert successful?
+
     # non-owner cannot view
     with_session(:non_owner) do
       non_owner_api = FilesApiTestHelper.new(current_session, 'assets', @channel_id)