mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 10:57:04 +08:00
FIX: don't leak whisper count in user card
This commit is contained in:
parent
39adf2588a
commit
797936d2c5
|
@ -50,7 +50,7 @@ class UsersController < ApplicationController
|
|||
|
||||
topic_id = params[:include_post_count_for].to_i
|
||||
if topic_id != 0
|
||||
user_serializer.topic_post_count = { topic_id => Post.where(topic_id: topic_id, user_id: @user.id).count }
|
||||
user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count }
|
||||
end
|
||||
|
||||
if !params[:skip_track_visit] && (@user != current_user)
|
||||
|
|
|
@ -74,15 +74,15 @@ class Post < ActiveRecord::Base
|
|||
user_id: user.id)
|
||||
}
|
||||
|
||||
scope :by_newest, -> { order('created_at desc, id desc') }
|
||||
scope :by_newest, -> { order('created_at DESC, id DESC') }
|
||||
scope :by_post_number, -> { order('post_number ASC') }
|
||||
scope :with_user, -> { includes(:user) }
|
||||
scope :created_since, lambda { |time_ago| where('posts.created_at > ?', time_ago) }
|
||||
scope :created_since, -> (time_ago) { where('posts.created_at > ?', time_ago) }
|
||||
scope :public_posts, -> { joins(:topic).where('topics.archetype <> ?', Archetype.private_message) }
|
||||
scope :private_posts, -> { joins(:topic).where('topics.archetype = ?', Archetype.private_message) }
|
||||
scope :with_topic_subtype, ->(subtype) { joins(:topic).where('topics.subtype = ?', subtype) }
|
||||
scope :visible, -> { joins(:topic).where('topics.visible = true').where(hidden: false) }
|
||||
scope :secured, lambda { |guardian| where('posts.post_type in (?)', Topic.visible_post_types(guardian && guardian.user)) }
|
||||
scope :secured, -> (guardian) { where('posts.post_type IN (?)', Topic.visible_post_types(guardian&.user)) }
|
||||
scope :for_mailing_list, ->(user, since) {
|
||||
q = created_since(since)
|
||||
.joins(:topic)
|
||||
|
|
|
@ -304,11 +304,11 @@ class TopicView
|
|||
end
|
||||
|
||||
def links
|
||||
@links ||= TopicLink.topic_map(guardian, @topic.id)
|
||||
@links ||= TopicLink.topic_map(@guardian, @topic.id)
|
||||
end
|
||||
|
||||
def link_counts
|
||||
@link_counts ||= TopicLink.counts_for(guardian, @topic, posts)
|
||||
@link_counts ||= TopicLink.counts_for(@guardian, @topic, posts)
|
||||
end
|
||||
|
||||
# Are we the initial page load? If so, we can return extra information like
|
||||
|
@ -454,7 +454,7 @@ class TopicView
|
|||
if @topic.present? && @topic.private_message? && @user.blank?
|
||||
raise Discourse::NotLoggedIn.new
|
||||
end
|
||||
raise Discourse::InvalidAccess.new("can't see #{@topic}", @topic) unless guardian.can_see?(@topic)
|
||||
raise Discourse::InvalidAccess.new("can't see #{@topic}", @topic) unless @guardian.can_see?(@topic)
|
||||
end
|
||||
|
||||
def get_minmax_ids(post_number)
|
||||
|
|
|
@ -88,6 +88,33 @@ describe UsersController do
|
|||
end
|
||||
end
|
||||
|
||||
describe "include_post_count_for" do
|
||||
|
||||
let(:admin) { Fabricate(:admin) }
|
||||
let(:topic) { Fabricate(:topic) }
|
||||
|
||||
before do
|
||||
Fabricate(:post, user: user, topic: topic)
|
||||
Fabricate(:post, user: admin, topic: topic)
|
||||
Fabricate(:post, user: admin, topic: topic, post_type: Post.types[:whisper])
|
||||
end
|
||||
|
||||
it "includes only visible posts" do
|
||||
get :show, username: admin.username, include_post_count_for: topic.id, format: :json
|
||||
topic_post_count = JSON.parse(response.body).dig("user", "topic_post_count")
|
||||
expect(topic_post_count[topic.id.to_s]).to eq(1)
|
||||
end
|
||||
|
||||
it "includes all post types for staff members" do
|
||||
log_in_user(admin)
|
||||
|
||||
get :show, username: admin.username, include_post_count_for: topic.id, format: :json
|
||||
topic_post_count = JSON.parse(response.body).dig("user", "topic_post_count")
|
||||
expect(topic_post_count[topic.id.to_s]).to eq(2)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user