DEV: Only allow expanding hidden posts for author and staff (#21052)

This commit is contained in:
Ted Johansson 2023-04-25 13:37:29 +08:00 committed by GitHub
parent 9cc1b6a959
commit 02625d1edd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 46 additions and 3 deletions

View File

@ -497,7 +497,10 @@ createWidget("post-contents", {
result = result.concat(applyDecorators(this, "after-cooked", attrs, state)); result = result.concat(applyDecorators(this, "after-cooked", attrs, state));
if (attrs.cooked_hidden) { if (
attrs.cooked_hidden &&
(this.currentUser?.isLeader || attrs.user_id === this.currentUser?.id)
) {
result.push(this.attach("expand-hidden", attrs)); result.push(this.attach("expand-hidden", attrs));
} }

View File

@ -269,7 +269,10 @@ module PostGuardian
return false return false
end end
return true if is_moderator? || is_category_group_moderator?(post.topic.category) return true if is_moderator? || is_category_group_moderator?(post.topic.category)
return true if !post.trashed? || can_see_deleted_post?(post) if (!post.trashed? || can_see_deleted_post?(post)) &&
(!post.hidden? || can_see_hidden_post?(post))
return true
end
false false
end end
@ -280,6 +283,11 @@ module PostGuardian
post.deleted_by_id == @user.id && @user.has_trust_level?(TrustLevel[4]) post.deleted_by_id == @user.id && @user.has_trust_level?(TrustLevel[4])
end end
def can_see_hidden_post?(post)
return false if anonymous?
post.user_id == @user.id || @user.has_trust_level_or_staff?(TrustLevel[4])
end
def can_view_edit_history?(post) def can_view_edit_history?(post)
return false unless post return false unless post

View File

@ -0,0 +1,32 @@
# frozen_string_literal: true
RSpec.describe PostGuardian do
fab!(:user) { Fabricate(:user) }
fab!(:anon) { Fabricate(:anonymous) }
fab!(:admin) { Fabricate(:admin) }
fab!(:tl3_user) { Fabricate(:trust_level_3) }
fab!(:tl4_user) { Fabricate(:trust_level_4) }
fab!(:moderator) { Fabricate(:moderator) }
fab!(:category) { Fabricate(:category) }
fab!(:topic) { Fabricate(:topic, category: category) }
fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true) }
describe "#can_see_hidden_post?" do
it "returns false for anonymous users" do
expect(Guardian.new(anon).can_see_hidden_post?(hidden_post)).to eq(false)
end
it "returns false for TL3 users" do
expect(Guardian.new(tl3_user).can_see_hidden_post?(hidden_post)).to eq(false)
end
it "returns true for TL4 users" do
expect(Guardian.new(tl4_user).can_see_hidden_post?(hidden_post)).to eq(true)
end
it "returns true for staff users" do
expect(Guardian.new(moderator).can_see_hidden_post?(hidden_post)).to eq(true)
expect(Guardian.new(admin).can_see_hidden_post?(hidden_post)).to eq(true)
end
end
end

View File

@ -1992,7 +1992,7 @@ RSpec.describe PostsController do
it "throws an exception for users" do it "throws an exception for users" do
sign_in(user) sign_in(user)
get "/posts/#{post.id}/revisions/#{post_revision.number}.json" get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
expect(response.status).to eq(404) expect(response.status).to eq(403)
end end
it "works for admins" do it "works for admins" do