fix: prevent users from seeing their own flags

2025-03-01 11:53:27 +08:00 · 2025-01-24 11:08:50 +01:00 · 2025-01-24 11:08:50 +01:00 · 59129fa255
commit 59129fa255
parent 670aa2e236
4 changed files with 7 additions and 9 deletions
--- a/extensions/flags/src/Access/ScopeFlagVisibility.php
+++ b/extensions/flags/src/Access/ScopeFlagVisibility.php
@ -37,10 +37,8 @@ class ScopeFlagVisibility
                    if ($actor->hasPermission('discussion.viewFlags')) {
                        $query->orWhereDoesntHave('post.discussion.tags');
                    }
-                }
-
-                if (! $actor->hasPermission('discussion.viewFlags')) {
-                    $query->orWhere('flags.user_id', $actor->id);
+                } elseif (! $actor->hasPermission('discussion.viewFlags')) {
+                    $query->whereRaw('1 = 0');
                }
            });
    }
--- a/extensions/flags/tests/integration/api/flags/ListTest.php
+++ b/extensions/flags/tests/integration/api/flags/ListTest.php
@ -96,7 +96,7 @@ class ListTest extends TestCase
    }

    #[Test]
-    public function regular_user_sees_own_flags_of_visible_posts()
+    public function regular_user_does_not_see_own_flags_of_visible_posts()
    {
        $response = $this->send(
            $this->request('GET', '/api/flags', [
@ -109,7 +109,7 @@ class ListTest extends TestCase
        $data = json_decode($response->getBody()->getContents(), true)['data'];

        $ids = Arr::pluck($data, 'id');
-        $this->assertEqualsCanonicalizing(['2', '4'], $ids);
+        $this->assertEqualsCanonicalizing([], $ids);
    }

    #[Test]
--- a/extensions/flags/tests/integration/api/flags/ListWithTagsTest.php
+++ b/extensions/flags/tests/integration/api/flags/ListWithTagsTest.php
@ -122,7 +122,7 @@ class ListWithTagsTest extends TestCase
    }

    #[Test]
-    public function regular_user_sees_own_flags()
+    public function regular_user_does_not_see_own_flags()
    {
        $response = $this->send(
            $this->request('GET', '/api/flags', [
@ -135,7 +135,7 @@ class ListWithTagsTest extends TestCase
        $data = json_decode($response->getBody()->getContents(), true)['data'];

        $ids = Arr::pluck($data, 'id');
-        $this->assertEqualsCanonicalizing(['2', '4'], $ids);
+        $this->assertEqualsCanonicalizing([], $ids);
    }

    #[Test]
--- a/extensions/flags/tests/integration/api/posts/IncludeFlagsVisibilityTest.php
+++ b/extensions/flags/tests/integration/api/posts/IncludeFlagsVisibilityTest.php
@ -144,7 +144,7 @@ class IncludeFlagsVisibilityTest extends TestCase
            'user_with_general_permission_sees_where_unrestricted_tag' => [2, [6, 7, 8]],
            'user_with_tag1_permission_sees_tag1_flags' => [3, [1, 2, 3, 4, 5]],
            'normal_user_sees_none' => [4, []],
-            'normal_user_sees_own' => [5, [2, 7, 4, 8]],
+            'normal_user_does_not_see_own' => [5, []],
        ];
    }
 }