Skip to content

Commit

Permalink
FIX: view activity reactions for other users (#278)
Browse files Browse the repository at this point in the history 
This change restores access to the reaction activity of other users when the current user is logged in.
  • Loading branch information
@dbattersby
dbattersby committed Feb 23, 2024
1 parent 7afd462 commit 69b1fd4
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 11 deletions.
2 changes: 1 addition & 1 deletion app/controllers/discourse_reactions/custom_reactions_controller.rb
View file
Expand Up @@ -44,7 +44,7 @@ def reactions_given
include_inactive:
current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts),
)
raise Discourse::InvalidAccess unless guardian.can_see_notifications?(user)
raise Discourse::NotFound unless guardian.can_see_profile?(user)

reaction_users =
DiscourseReactions::ReactionUser
Expand Down
28 changes: 18 additions & 10 deletions spec/requests/custom_reactions_controller_spec.rb
View file
Expand Up @@ -169,24 +169,28 @@
Fabricate(:reaction_user, reaction: secure_reaction, user: user_2, post: secure_post)
end

it "returns reactions given by a user when current user is admin" do
sign_in(admin)
it "returns reactions given by a user" do
sign_in(user_1)

get "/discourse-reactions/posts/reactions.json", params: { username: user_2.username }
expect(response.status).to eq(200)

parsed = response.parsed_body
expect(parsed[2]["user"]["id"]).to eq(user_2.id)
expect(parsed[2]["post_id"]).to eq(post_2.id)
expect(parsed[2]["post"]["user"]["id"]).to eq(user_1.id)
expect(parsed[2]["reaction"]["id"]).to eq(laughing_reaction.id)
expect(parsed[0]["user"]["id"]).to eq(user_2.id)
expect(parsed[0]["post_id"]).to eq(post_2.id)
expect(parsed[0]["post"]["user"]["id"]).to eq(user_1.id)
expect(parsed[0]["reaction"]["id"]).to eq(laughing_reaction.id)
end

it "does not return reactions for private messages of other users" do
it "does not return reactions for private messages" do
sign_in(user_1)

get "/discourse-reactions/posts/reactions.json", params: { username: user_2.username }
expect(response.status).to eq(403)

parsed = response.parsed_body
expect(response.parsed_body.map { |reaction| reaction["post_id"] }).not_to include(
private_post.id,
)
end

it "returns reactions for private messages of current user" do
Expand All @@ -204,11 +208,15 @@
sign_in(user_1)

get "/discourse-reactions/posts/reactions.json", params: { username: user_2.username }
expect(response.status).to eq(403)
parsed = response.parsed_body
expect(response.parsed_body.map { |reaction| reaction["post_id"] }).not_to include(
secure_post.id,
)

secure_group.add(user_1)
get "/discourse-reactions/posts/reactions.json", params: { username: user_2.username }
expect(response.status).to eq(403)
parsed = response.parsed_body
expect(response.parsed_body.map { |reaction| reaction["post_id"] }).to include(secure_post.id)

sign_in(user_2)

Expand Down

0 comments on commit 69b1fd4

Please sign in to comment.