DEV: Only allow expanding hidden posts for author and staff (#21052)

2023-04-25 13:37:29 +08:00 · 2023-04-25 13:37:29 +08:00 · 02625d1edd
parent 9cc1b6a959
commit 02625d1edd
4 changed files with 46 additions and 3 deletions
--- a/app/assets/javascripts/discourse/app/widgets/post.js
+++ b/app/assets/javascripts/discourse/app/widgets/post.js
@ -497,7 +497,10 @@ createWidget("post-contents", {

    result = result.concat(applyDecorators(this, "after-cooked", attrs, state));

-    if (attrs.cooked_hidden) {
+    if (
+      attrs.cooked_hidden &&
+      (this.currentUser?.isLeader || attrs.user_id === this.currentUser?.id)
+    ) {
      result.push(this.attach("expand-hidden", attrs));
    }

--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@ -269,7 +269,10 @@ module PostGuardian
      return false
    end
    return true if is_moderator? || is_category_group_moderator?(post.topic.category)
-    return true if !post.trashed? || can_see_deleted_post?(post)
+    if (!post.trashed? || can_see_deleted_post?(post)) &&
+         (!post.hidden? || can_see_hidden_post?(post))
+      return true
+    end
    false
  end

@ -280,6 +283,11 @@ module PostGuardian
    post.deleted_by_id == @user.id && @user.has_trust_level?(TrustLevel[4])
  end

+  def can_see_hidden_post?(post)
+    return false if anonymous?
+    post.user_id == @user.id || @user.has_trust_level_or_staff?(TrustLevel[4])
+  end
+
  def can_view_edit_history?(post)
    return false unless post

--- a/spec/lib/guardian/post_guardian_spec.rb
+++ b/spec/lib/guardian/post_guardian_spec.rb
@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+RSpec.describe PostGuardian do
+  fab!(:user) { Fabricate(:user) }
+  fab!(:anon) { Fabricate(:anonymous) }
+  fab!(:admin) { Fabricate(:admin) }
+  fab!(:tl3_user) { Fabricate(:trust_level_3) }
+  fab!(:tl4_user) { Fabricate(:trust_level_4) }
+  fab!(:moderator) { Fabricate(:moderator) }
+  fab!(:category) { Fabricate(:category) }
+  fab!(:topic) { Fabricate(:topic, category: category) }
+  fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true) }
+
+  describe "#can_see_hidden_post?" do
+    it "returns false for anonymous users" do
+      expect(Guardian.new(anon).can_see_hidden_post?(hidden_post)).to eq(false)
+    end
+
+    it "returns false for TL3 users" do
+      expect(Guardian.new(tl3_user).can_see_hidden_post?(hidden_post)).to eq(false)
+    end
+
+    it "returns true for TL4 users" do
+      expect(Guardian.new(tl4_user).can_see_hidden_post?(hidden_post)).to eq(true)
+    end
+
+    it "returns true for staff users" do
+      expect(Guardian.new(moderator).can_see_hidden_post?(hidden_post)).to eq(true)
+      expect(Guardian.new(admin).can_see_hidden_post?(hidden_post)).to eq(true)
+    end
+  end
+end
--- a/spec/requests/posts_controller_spec.rb
+++ b/spec/requests/posts_controller_spec.rb
@ -1992,7 +1992,7 @@ RSpec.describe PostsController do
      it "throws an exception for users" do
        sign_in(user)
        get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
-        expect(response.status).to eq(404)
+        expect(response.status).to eq(403)
      end

      it "works for admins" do