Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: don't show contents of hidden posts when quoting the post and when replying as new topic. Also don't allow public to view edit history of hidden posts.

This commit is contained in:
Neil Lalonde 2014-04-15 12:48:49 -04:00
parent f0e8423445
commit 91bfd47419
3 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/serializers/post_serializer.rb
View File

@ -176,7 +176,7 @@ class PostSerializer < BasicPostSerializer
end
def include_raw?
@add_raw.present?
@add_raw.present? && (scope.user.try(:staff?) || yours)
end
def include_link_counts?

2
lib/guardian/post_guardian.rb
View File

@ -116,7 +116,7 @@ module PostGuardain
def can_view_post_revisions?(post)
return false if post.nil?
return true if SiteSetting.edit_history_visible_to_public
return true if SiteSetting.edit_history_visible_to_public && !post.hidden
authenticated? &&
(is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) &&
can_see_post?(post)

29
spec/serializers/post_serializer_spec.rb
View File

@ -75,4 +75,33 @@ describe PostSerializer do
end
end
context "a hidden post with add_raw enabled" do
let(:user) { Fabricate.build(:user) }
let(:raw) { "Offensive stuff here!" }
let(:post) { Fabricate.build(:post, raw: raw, user: user, hidden: true, hidden_reason_id: Post.hidden_reasons[:flag_threshold_reached]) }
def serialized_post_for_user(u)
s = PostSerializer.new(post, scope: Guardian.new(u), root: false)
s.add_raw = true
s.as_json
end
it "shows the raw post only if authorized to see it" do
serialized_post_for_user(user)[:raw].should == raw
serialized_post_for_user(nil)[:raw].should be_nil
serialized_post_for_user(Fabricate(:user))[:raw].should be_nil
serialized_post_for_user(Fabricate(:moderator))[:raw].should == raw
serialized_post_for_user(Fabricate(:admin))[:raw].should == raw
end
it "can view edit history only if authorized" do
serialized_post_for_user(user)[:can_view_edit_history].should == true
serialized_post_for_user(nil)[:can_view_edit_history].should == false
serialized_post_for_user(Fabricate(:user))[:can_view_edit_history].should == false
serialized_post_for_user(Fabricate(:moderator))[:can_view_edit_history].should == true
serialized_post_for_user(Fabricate(:admin))[:can_view_edit_history].should == true
end
end
end