From 02625d1edd9f312b43f58b0605736d75450735cf Mon Sep 17 00:00:00 2001 From: Ted Johansson Date: Tue, 25 Apr 2023 13:37:29 +0800 Subject: [PATCH] DEV: Only allow expanding hidden posts for author and staff (#21052) --- .../javascripts/discourse/app/widgets/post.js | 5 ++- lib/guardian/post_guardian.rb | 10 +++++- spec/lib/guardian/post_guardian_spec.rb | 32 +++++++++++++++++++ spec/requests/posts_controller_spec.rb | 2 +- 4 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 spec/lib/guardian/post_guardian_spec.rb diff --git a/app/assets/javascripts/discourse/app/widgets/post.js b/app/assets/javascripts/discourse/app/widgets/post.js index 56a01a922b7..1aa59ae5885 100644 --- a/app/assets/javascripts/discourse/app/widgets/post.js +++ b/app/assets/javascripts/discourse/app/widgets/post.js @@ -497,7 +497,10 @@ createWidget("post-contents", { result = result.concat(applyDecorators(this, "after-cooked", attrs, state)); - if (attrs.cooked_hidden) { + if ( + attrs.cooked_hidden && + (this.currentUser?.isLeader || attrs.user_id === this.currentUser?.id) + ) { result.push(this.attach("expand-hidden", attrs)); } diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb index 71d48a29637..a72b4befb45 100644 --- a/lib/guardian/post_guardian.rb +++ b/lib/guardian/post_guardian.rb @@ -269,7 +269,10 @@ module PostGuardian return false end return true if is_moderator? || is_category_group_moderator?(post.topic.category) - return true if !post.trashed? || can_see_deleted_post?(post) + if (!post.trashed? || can_see_deleted_post?(post)) && + (!post.hidden? || can_see_hidden_post?(post)) + return true + end false end @@ -280,6 +283,11 @@ module PostGuardian post.deleted_by_id == @user.id && @user.has_trust_level?(TrustLevel[4]) end + def can_see_hidden_post?(post) + return false if anonymous? + post.user_id == @user.id || @user.has_trust_level_or_staff?(TrustLevel[4]) + end + def can_view_edit_history?(post) return false unless post diff --git a/spec/lib/guardian/post_guardian_spec.rb b/spec/lib/guardian/post_guardian_spec.rb new file mode 100644 index 00000000000..713886a6f3b --- /dev/null +++ b/spec/lib/guardian/post_guardian_spec.rb @@ -0,0 +1,32 @@ +# frozen_string_literal: true + +RSpec.describe PostGuardian do + fab!(:user) { Fabricate(:user) } + fab!(:anon) { Fabricate(:anonymous) } + fab!(:admin) { Fabricate(:admin) } + fab!(:tl3_user) { Fabricate(:trust_level_3) } + fab!(:tl4_user) { Fabricate(:trust_level_4) } + fab!(:moderator) { Fabricate(:moderator) } + fab!(:category) { Fabricate(:category) } + fab!(:topic) { Fabricate(:topic, category: category) } + fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true) } + + describe "#can_see_hidden_post?" do + it "returns false for anonymous users" do + expect(Guardian.new(anon).can_see_hidden_post?(hidden_post)).to eq(false) + end + + it "returns false for TL3 users" do + expect(Guardian.new(tl3_user).can_see_hidden_post?(hidden_post)).to eq(false) + end + + it "returns true for TL4 users" do + expect(Guardian.new(tl4_user).can_see_hidden_post?(hidden_post)).to eq(true) + end + + it "returns true for staff users" do + expect(Guardian.new(moderator).can_see_hidden_post?(hidden_post)).to eq(true) + expect(Guardian.new(admin).can_see_hidden_post?(hidden_post)).to eq(true) + end + end +end diff --git a/spec/requests/posts_controller_spec.rb b/spec/requests/posts_controller_spec.rb index e31a496960d..b33bd1844f8 100644 --- a/spec/requests/posts_controller_spec.rb +++ b/spec/requests/posts_controller_spec.rb @@ -1992,7 +1992,7 @@ RSpec.describe PostsController do it "throws an exception for users" do sign_in(user) get "/posts/#{post.id}/revisions/#{post_revision.number}.json" - expect(response.status).to eq(404) + expect(response.status).to eq(403) end it "works for admins" do