Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DEV: Only allow expanding hidden posts for author and staff #21052

Merged
merged 1 commit into from Apr 25, 2023
Merged

DEV: Only allow expanding hidden posts for author and staff #21052

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 4 additions & 1 deletion app/assets/javascripts/discourse/app/widgets/post.js
View file
Open in desktop
Expand Up @@ -495,7 +495,10 @@ createWidget("post-contents", {

result = result.concat(applyDecorators(this, "after-cooked", attrs, state));

if (attrs.cooked_hidden) {
if (
attrs.cooked_hidden &&
(this.currentUser?.isLeader || attrs.user_id === this.currentUser?.id)
) {
result.push(this.attach("expand-hidden", attrs));
}

Expand Down
10 changes: 9 additions & 1 deletion lib/guardian/post_guardian.rb
View file
Open in desktop
Expand Up @@ -269,7 +269,10 @@ def can_see_post?(post)
return false
end
return true if is_moderator? || is_category_group_moderator?(post.topic.category)
return true if !post.trashed? || can_see_deleted_post?(post)
if (!post.trashed? || can_see_deleted_post?(post)) &&
(!post.hidden? || can_see_hidden_post?(post))
Drenmi marked this conversation as resolved.
Show resolved Hide resolved
return true
end
false
end

Expand All @@ -280,6 +283,11 @@ def can_see_deleted_post?(post)
post.deleted_by_id == @user.id && @user.has_trust_level?(TrustLevel[4])
end

def can_see_hidden_post?(post)
return false if anonymous?
post.user_id == @user.id || @user.has_trust_level_or_staff?(TrustLevel[4])
end

def can_view_edit_history?(post)
return false unless post

Expand Down
32 changes: 32 additions & 0 deletions spec/lib/guardian/post_guardian_spec.rb
View file
Open in desktop
@@ -0,0 +1,32 @@
# frozen_string_literal: true

RSpec.describe PostGuardian do
fab!(:user) { Fabricate(:user) }
fab!(:anon) { Fabricate(:anonymous) }
fab!(:admin) { Fabricate(:admin) }
fab!(:tl3_user) { Fabricate(:trust_level_3) }
fab!(:tl4_user) { Fabricate(:trust_level_4) }
fab!(:moderator) { Fabricate(:moderator) }
fab!(:category) { Fabricate(:category) }
fab!(:topic) { Fabricate(:topic, category: category) }
fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true) }

describe "#can_see_hidden_post?" do
it "returns false for anonymous users" do
expect(Guardian.new(anon).can_see_hidden_post?(hidden_post)).to eq(false)
end

it "returns false for TL3 users" do
expect(Guardian.new(tl3_user).can_see_hidden_post?(hidden_post)).to eq(false)
end

it "returns true for TL4 users" do
expect(Guardian.new(tl4_user).can_see_hidden_post?(hidden_post)).to eq(true)
end

it "returns true for staff users" do
expect(Guardian.new(moderator).can_see_hidden_post?(hidden_post)).to eq(true)
expect(Guardian.new(admin).can_see_hidden_post?(hidden_post)).to eq(true)
end
end
end
2 changes: 1 addition & 1 deletion spec/requests/posts_controller_spec.rb
View file
Open in desktop
Expand Up @@ -1992,7 +1992,7 @@
it "throws an exception for users" do
sign_in(user)
get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
expect(response.status).to eq(404)
expect(response.status).to eq(403)
end

it "works for admins" do
Expand Down