SECURITY: Don't leak user of previous whisper post when deleting a topic.

A topic's last poster can be incorrectly set to a user of a whisper post
if the whisper post is before the last post and the last post is
deleted.

lib/post_destroyer.rb

@@ -258,6 +258,7 @@ class PostDestroyer
       .select(:created_at, :user_id, :post_number)
       .where("topic_id = ? and id <> ?", @post.topic_id, @post.id)
       .where.not(user_id: nil)
+      .where.not(post_type: Post.types[:whisper])
       .order('created_at desc')
       .limit(1)
       .first

spec/components/post_destroyer_spec.rb

@@ -616,6 +616,22 @@ describe PostDestroyer do
     end
   end
 
+  describe "deleting a post directly after a whisper" do
+    before do
+      SiteSetting.enable_whispers = true
+    end
+
+    it 'should not set Topic#last_post_user_id to a whisperer' do
+      post_1 = create_post(topic: post.topic, user: moderator)
+      whisper_1 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper])
+      whisper_2 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper])
+
+      PostDestroyer.new(admin, whisper_2).destroy
+
+      expect(post.topic.reload.last_post_user_id).to eq(post_1.user.id)
+    end
+  end
+
   context 'deleting the second post in a topic' do
 
     fab!(:user) { Fabricate(:user) }