store filter_id in a long-lived cookie (derpibooru/philomena#139)

lib/philomena_web/controllers/filter/current_controller.ex

@@ -1,6 +1,8 @@
 defmodule PhilomenaWeb.Filter.CurrentController do
   use PhilomenaWeb, :controller
 
+  @cookie_opts [max_age: 788_923_800, same_site: "Lax"]
+
   alias Philomena.{Filters, Filters.Filter, Users.User}
   alias Philomena.Repo
 
@@ -24,8 +26,7 @@ defmodule PhilomenaWeb.Filter.CurrentController do
   end
 
   defp update_filter(conn, nil, filter) do
-    conn
+    put_resp_cookie(conn, "filter_id", Integer.to_string(filter.id), @cookie_opts)
-    |> put_session(:filter_id, filter.id)
   end
 
   defp update_filter(conn, user, filter) do

lib/philomena_web/plugs/current_filter_plug.ex

@@ -9,7 +9,7 @@ defmodule PhilomenaWeb.CurrentFilterPlug do
 
   # Assign current filter
   def call(conn, _opts) do
-    conn = fetch_session(conn)
+    conn = fetch_cookies(conn)
     user = conn.assigns.current_user
 
     {filter, forced_filter} =
@@ -21,9 +21,7 @@ defmodule PhilomenaWeb.CurrentFilterPlug do
 
         {user.current_filter, user.forced_filter}
       else
-        filter_id = conn |> get_session(:filter_id)
+        filter = load_and_authorize_filter(conn.cookies, user)
-
-        filter = if filter_id, do: Repo.get(Filter, filter_id)
 
         {filter || Filters.default_filter(), nil}
       end
@@ -45,4 +43,23 @@ defmodule PhilomenaWeb.CurrentFilterPlug do
   end
 
   defp maybe_set_default_filter(user), do: user
+
+  defp load_and_authorize_filter(%{"filter_id" => filter_id}, user) do
+    Filter
+    |> Repo.get(filter_id)
+    |> case do
+      nil ->
+        nil
+
+      filter ->
+        case Canada.Can.can?(user, :show, filter) do
+          true -> filter
+          false -> nil
+        end
+    end
+  end
+
+  defp load_and_authorize_filter(_cookies, _user) do
+    nil
+  end
 end