FIX: don't show contents of hidden posts when quoting the post and wh…

…en replying as new topic. Also don't allow public to view edit history of hidden posts.
magic-madrigal · Apr 15, 2014 · 91bfd47 · 91bfd47
1 parent f0e8423
commit 91bfd47
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 2 deletions.
diff --git a/app/serializers/post_serializer.rb b/app/serializers/post_serializer.rb
@@ -176,7 +176,7 @@ def include_slug_title?
   end
 
   def include_raw?
-    @add_raw.present?
+    @add_raw.present? && (scope.user.try(:staff?) || yours)
   end
 
   def include_link_counts?

diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb
@@ -116,7 +116,7 @@ def can_see_post_revision?(post_revision)
 
   def can_view_post_revisions?(post)
     return false if post.nil?
-    return true if SiteSetting.edit_history_visible_to_public
+    return true if SiteSetting.edit_history_visible_to_public && !post.hidden
     authenticated? &&
       (is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) &&
       can_see_post?(post)

diff --git a/spec/serializers/post_serializer_spec.rb b/spec/serializers/post_serializer_spec.rb
@@ -75,4 +75,33 @@ def visible_actions_for(user)
     end
   end
 
+  context "a hidden post with add_raw enabled" do
+    let(:user) { Fabricate.build(:user) }
+    let(:raw)  { "Offensive stuff here!" }
+    let(:post) { Fabricate.build(:post, raw: raw, user: user, hidden: true, hidden_reason_id: Post.hidden_reasons[:flag_threshold_reached]) }
+
+    def serialized_post_for_user(u)
+      s = PostSerializer.new(post, scope: Guardian.new(u), root: false)
+      s.add_raw = true
+      s.as_json
+    end
+
+    it "shows the raw post only if authorized to see it" do
+      serialized_post_for_user(user)[:raw].should == raw
+      serialized_post_for_user(nil)[:raw].should be_nil
+      serialized_post_for_user(Fabricate(:user))[:raw].should be_nil
+      serialized_post_for_user(Fabricate(:moderator))[:raw].should == raw
+      serialized_post_for_user(Fabricate(:admin))[:raw].should == raw
+    end
+
+    it "can view edit history only if authorized" do
+      serialized_post_for_user(user)[:can_view_edit_history].should == true
+      serialized_post_for_user(nil)[:can_view_edit_history].should == false
+      serialized_post_for_user(Fabricate(:user))[:can_view_edit_history].should == false
+      serialized_post_for_user(Fabricate(:moderator))[:can_view_edit_history].should == true
+      serialized_post_for_user(Fabricate(:admin))[:can_view_edit_history].should == true
+    end
+
+  end
+
 end