FIX: don't show contents of hidden posts when quoting the post and when replying as new topic. Also don't allow public to view edit history of hidden posts.

This commit is contained in:
Neil Lalonde 2014-04-15 12:48:49 -04:00
parent f0e8423445
commit 91bfd47419
3 changed files with 31 additions and 2 deletions

View File

@ -176,7 +176,7 @@ class PostSerializer < BasicPostSerializer
end end
def include_raw? def include_raw?
@add_raw.present? @add_raw.present? && (scope.user.try(:staff?) || yours)
end end
def include_link_counts? def include_link_counts?

View File

@ -116,7 +116,7 @@ module PostGuardain
def can_view_post_revisions?(post) def can_view_post_revisions?(post)
return false if post.nil? return false if post.nil?
return true if SiteSetting.edit_history_visible_to_public return true if SiteSetting.edit_history_visible_to_public && !post.hidden
authenticated? && authenticated? &&
(is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) && (is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) &&
can_see_post?(post) can_see_post?(post)

View File

@ -75,4 +75,33 @@ describe PostSerializer do
end end
end end
context "a hidden post with add_raw enabled" do
let(:user) { Fabricate.build(:user) }
let(:raw) { "Offensive stuff here!" }
let(:post) { Fabricate.build(:post, raw: raw, user: user, hidden: true, hidden_reason_id: Post.hidden_reasons[:flag_threshold_reached]) }
def serialized_post_for_user(u)
s = PostSerializer.new(post, scope: Guardian.new(u), root: false)
s.add_raw = true
s.as_json
end
it "shows the raw post only if authorized to see it" do
serialized_post_for_user(user)[:raw].should == raw
serialized_post_for_user(nil)[:raw].should be_nil
serialized_post_for_user(Fabricate(:user))[:raw].should be_nil
serialized_post_for_user(Fabricate(:moderator))[:raw].should == raw
serialized_post_for_user(Fabricate(:admin))[:raw].should == raw
end
it "can view edit history only if authorized" do
serialized_post_for_user(user)[:can_view_edit_history].should == true
serialized_post_for_user(nil)[:can_view_edit_history].should == false
serialized_post_for_user(Fabricate(:user))[:can_view_edit_history].should == false
serialized_post_for_user(Fabricate(:moderator))[:can_view_edit_history].should == true
serialized_post_for_user(Fabricate(:admin))[:can_view_edit_history].should == true
end
end
end end