From 59129fa25578c18b7d66c71c26cdc31eb95ccd0d Mon Sep 17 00:00:00 2001
From: Sami Mazouz <sychocouldy@gmail.com>
Date: Fri, 24 Jan 2025 11:08:50 +0100
Subject: [PATCH] fix: prevent users from seeing their own flags

---
 extensions/flags/src/Access/ScopeFlagVisibility.php         | 6 ++----
 extensions/flags/tests/integration/api/flags/ListTest.php   | 4 ++--
 .../flags/tests/integration/api/flags/ListWithTagsTest.php  | 4 ++--
 .../integration/api/posts/IncludeFlagsVisibilityTest.php    | 2 +-
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/extensions/flags/src/Access/ScopeFlagVisibility.php b/extensions/flags/src/Access/ScopeFlagVisibility.php
index 6b9f40e54..a412181a2 100644
--- a/extensions/flags/src/Access/ScopeFlagVisibility.php
+++ b/extensions/flags/src/Access/ScopeFlagVisibility.php
@@ -37,10 +37,8 @@ class ScopeFlagVisibility
                     if ($actor->hasPermission('discussion.viewFlags')) {
                         $query->orWhereDoesntHave('post.discussion.tags');
                     }
-                }
-
-                if (! $actor->hasPermission('discussion.viewFlags')) {
-                    $query->orWhere('flags.user_id', $actor->id);
+                } elseif (! $actor->hasPermission('discussion.viewFlags')) {
+                    $query->whereRaw('1 = 0');
                 }
             });
     }
diff --git a/extensions/flags/tests/integration/api/flags/ListTest.php b/extensions/flags/tests/integration/api/flags/ListTest.php
index 33ace7c7e..d7bf55455 100644
--- a/extensions/flags/tests/integration/api/flags/ListTest.php
+++ b/extensions/flags/tests/integration/api/flags/ListTest.php
@@ -96,7 +96,7 @@ class ListTest extends TestCase
     }
 
     #[Test]
-    public function regular_user_sees_own_flags_of_visible_posts()
+    public function regular_user_does_not_see_own_flags_of_visible_posts()
     {
         $response = $this->send(
             $this->request('GET', '/api/flags', [
@@ -109,7 +109,7 @@ class ListTest extends TestCase
         $data = json_decode($response->getBody()->getContents(), true)['data'];
 
         $ids = Arr::pluck($data, 'id');
-        $this->assertEqualsCanonicalizing(['2', '4'], $ids);
+        $this->assertEqualsCanonicalizing([], $ids);
     }
 
     #[Test]
diff --git a/extensions/flags/tests/integration/api/flags/ListWithTagsTest.php b/extensions/flags/tests/integration/api/flags/ListWithTagsTest.php
index 3dc8ae6b9..aee1df06c 100644
--- a/extensions/flags/tests/integration/api/flags/ListWithTagsTest.php
+++ b/extensions/flags/tests/integration/api/flags/ListWithTagsTest.php
@@ -122,7 +122,7 @@ class ListWithTagsTest extends TestCase
     }
 
     #[Test]
-    public function regular_user_sees_own_flags()
+    public function regular_user_does_not_see_own_flags()
     {
         $response = $this->send(
             $this->request('GET', '/api/flags', [
@@ -135,7 +135,7 @@ class ListWithTagsTest extends TestCase
         $data = json_decode($response->getBody()->getContents(), true)['data'];
 
         $ids = Arr::pluck($data, 'id');
-        $this->assertEqualsCanonicalizing(['2', '4'], $ids);
+        $this->assertEqualsCanonicalizing([], $ids);
     }
 
     #[Test]
diff --git a/extensions/flags/tests/integration/api/posts/IncludeFlagsVisibilityTest.php b/extensions/flags/tests/integration/api/posts/IncludeFlagsVisibilityTest.php
index 1bb0e992c..f2fd9e549 100644
--- a/extensions/flags/tests/integration/api/posts/IncludeFlagsVisibilityTest.php
+++ b/extensions/flags/tests/integration/api/posts/IncludeFlagsVisibilityTest.php
@@ -144,7 +144,7 @@ class IncludeFlagsVisibilityTest extends TestCase
             'user_with_general_permission_sees_where_unrestricted_tag' => [2, [6, 7, 8]],
             'user_with_tag1_permission_sees_tag1_flags' => [3, [1, 2, 3, 4, 5]],
             'normal_user_sees_none' => [4, []],
-            'normal_user_sees_own' => [5, [2, 7, 4, 8]],
+            'normal_user_does_not_see_own' => [5, []],
         ];
     }
 }