From 91bfd474192a20c4bcda1fef2041adc6257fc0da Mon Sep 17 00:00:00 2001 From: Neil Lalonde Date: Tue, 15 Apr 2014 12:48:49 -0400 Subject: [PATCH] FIX: don't show contents of hidden posts when quoting the post and when replying as new topic. Also don't allow public to view edit history of hidden posts. --- app/serializers/post_serializer.rb | 2 +- lib/guardian/post_guardian.rb | 2 +- spec/serializers/post_serializer_spec.rb | 29 ++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/app/serializers/post_serializer.rb b/app/serializers/post_serializer.rb index faedc38b1e83e..f82f4af9edfce 100644 --- a/app/serializers/post_serializer.rb +++ b/app/serializers/post_serializer.rb @@ -176,7 +176,7 @@ def include_slug_title? end def include_raw? - @add_raw.present? + @add_raw.present? && (scope.user.try(:staff?) || yours) end def include_link_counts? diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb index 0357f08e3a896..e11b3797a893b 100644 --- a/lib/guardian/post_guardian.rb +++ b/lib/guardian/post_guardian.rb @@ -116,7 +116,7 @@ def can_see_post_revision?(post_revision) def can_view_post_revisions?(post) return false if post.nil? - return true if SiteSetting.edit_history_visible_to_public + return true if SiteSetting.edit_history_visible_to_public && !post.hidden authenticated? && (is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) && can_see_post?(post) diff --git a/spec/serializers/post_serializer_spec.rb b/spec/serializers/post_serializer_spec.rb index b16d7954f8a2f..c61ed48b70d74 100644 --- a/spec/serializers/post_serializer_spec.rb +++ b/spec/serializers/post_serializer_spec.rb @@ -75,4 +75,33 @@ def visible_actions_for(user) end end + context "a hidden post with add_raw enabled" do + let(:user) { Fabricate.build(:user) } + let(:raw) { "Offensive stuff here!" } + let(:post) { Fabricate.build(:post, raw: raw, user: user, hidden: true, hidden_reason_id: Post.hidden_reasons[:flag_threshold_reached]) } + + def serialized_post_for_user(u) + s = PostSerializer.new(post, scope: Guardian.new(u), root: false) + s.add_raw = true + s.as_json + end + + it "shows the raw post only if authorized to see it" do + serialized_post_for_user(user)[:raw].should == raw + serialized_post_for_user(nil)[:raw].should be_nil + serialized_post_for_user(Fabricate(:user))[:raw].should be_nil + serialized_post_for_user(Fabricate(:moderator))[:raw].should == raw + serialized_post_for_user(Fabricate(:admin))[:raw].should == raw + end + + it "can view edit history only if authorized" do + serialized_post_for_user(user)[:can_view_edit_history].should == true + serialized_post_for_user(nil)[:can_view_edit_history].should == false + serialized_post_for_user(Fabricate(:user))[:can_view_edit_history].should == false + serialized_post_for_user(Fabricate(:moderator))[:can_view_edit_history].should == true + serialized_post_for_user(Fabricate(:admin))[:can_view_edit_history].should == true + end + + end + end