From 7b3432f711511284b573bb9d3a7c932a126f330e Mon Sep 17 00:00:00 2001
From: Penar Musaraj <pmusaraj@gmail.com>
Date: Mon, 5 Nov 2018 10:00:59 -0500
Subject: [PATCH] Enforce disabling flagging hidden posts server-side

---
 lib/guardian/post_guardian.rb    | 3 +++
 spec/components/guardian_spec.rb | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb
index dd7504fa70d..d30db1972d6 100644
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@@ -40,6 +40,9 @@ module PostGuardian
       # Silenced users can't flag
       return false if is_flag && @user.silenced?
 
+      # Hidden posts can't be flagged
+      return false if is_flag && post.hidden?
+
       # post made by staff, but we don't allow staff flags
       return false if is_flag &&
         (!SiteSetting.allow_flagging_staff?) &&
diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb
index 5a05341928c..9f9da726038 100644
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@@ -116,6 +116,11 @@ describe Guardian do
       expect(Guardian.new(user).post_can_act?(post, :spam)).to be_truthy
     end
 
+    it "does not allow flagging of hidden posts" do
+      post.hidden = true
+      expect(Guardian.new(user).post_can_act?(post, :spam)).to be_falsey
+    end
+
     it "allows flagging of staff posts when allow_flagging_staff is true" do
       SiteSetting.allow_flagging_staff = true
       staff_post = Fabricate(:post, user: Fabricate(:moderator))