FIX: don't leak whisper count in user card

app/controllers/users_controller.rb

@@ -50,7 +50,7 @@ class UsersController < ApplicationController
 
     topic_id = params[:include_post_count_for].to_i
     if topic_id != 0
-      user_serializer.topic_post_count = { topic_id => Post.where(topic_id: topic_id, user_id: @user.id).count }
+      user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count }
     end
 
     if !params[:skip_track_visit] && (@user != current_user)

app/models/post.rb

@@ -74,15 +74,15 @@ class Post < ActiveRecord::Base
                                               user_id: user.id)
   }
 
-  scope :by_newest, -> { order('created_at desc, id desc') }
+  scope :by_newest, -> { order('created_at DESC, id DESC') }
   scope :by_post_number, -> { order('post_number ASC') }
   scope :with_user, -> { includes(:user) }
-  scope :created_since, lambda { |time_ago| where('posts.created_at > ?', time_ago) }
+  scope :created_since, -> (time_ago) { where('posts.created_at > ?', time_ago) }
   scope :public_posts, -> { joins(:topic).where('topics.archetype <> ?', Archetype.private_message) }
   scope :private_posts, -> { joins(:topic).where('topics.archetype = ?', Archetype.private_message) }
   scope :with_topic_subtype, ->(subtype) { joins(:topic).where('topics.subtype = ?', subtype) }
   scope :visible, -> { joins(:topic).where('topics.visible = true').where(hidden: false) }
-  scope :secured, lambda { |guardian| where('posts.post_type in (?)', Topic.visible_post_types(guardian && guardian.user)) }
+  scope :secured, -> (guardian) { where('posts.post_type IN (?)', Topic.visible_post_types(guardian&.user)) }
   scope :for_mailing_list, ->(user, since) {
     q = created_since(since)
       .joins(:topic)

lib/topic_view.rb

@@ -304,11 +304,11 @@ class TopicView
   end
 
   def links
-    @links ||= TopicLink.topic_map(guardian, @topic.id)
+    @links ||= TopicLink.topic_map(@guardian, @topic.id)
   end
 
   def link_counts
-    @link_counts ||= TopicLink.counts_for(guardian, @topic, posts)
+    @link_counts ||= TopicLink.counts_for(@guardian, @topic, posts)
   end
 
   # Are we the initial page load? If so, we can return extra information like
@@ -454,7 +454,7 @@ class TopicView
     if @topic.present? && @topic.private_message? && @user.blank?
       raise Discourse::NotLoggedIn.new
     end
-    raise Discourse::InvalidAccess.new("can't see #{@topic}", @topic) unless guardian.can_see?(@topic)
+    raise Discourse::InvalidAccess.new("can't see #{@topic}", @topic) unless @guardian.can_see?(@topic)
   end
 
   def get_minmax_ids(post_number)

spec/controllers/users_controller_spec.rb

@@ -88,6 +88,33 @@ describe UsersController do
         end
       end
 
+      describe "include_post_count_for" do
+
+        let(:admin) { Fabricate(:admin) }
+        let(:topic) { Fabricate(:topic) }
+
+        before do
+          Fabricate(:post, user: user, topic: topic)
+          Fabricate(:post, user: admin, topic: topic)
+          Fabricate(:post, user: admin, topic: topic, post_type: Post.types[:whisper])
+        end
+
+        it "includes only visible posts" do
+          get :show, username: admin.username, include_post_count_for: topic.id, format: :json
+          topic_post_count = JSON.parse(response.body).dig("user", "topic_post_count")
+          expect(topic_post_count[topic.id.to_s]).to eq(1)
+        end
+
+        it "includes all post types for staff members" do
+          log_in_user(admin)
+
+          get :show, username: admin.username, include_post_count_for: topic.id, format: :json
+          topic_post_count = JSON.parse(response.body).dig("user", "topic_post_count")
+          expect(topic_post_count[topic.id.to_s]).to eq(2)
+        end
+
+      end
+
     end
 
   end