From 94f628fb4c49dc34ab2fb3b8cc34becaac1dbbf0 Mon Sep 17 00:00:00 2001
From: Penar Musaraj <pmusaraj@gmail.com>
Date: Fri, 2 Nov 2018 13:54:45 -0400
Subject: [PATCH 1/2] FIX: disable flagging hidden posts

---
 .../javascripts/discourse/widgets/post-menu.js.es6     |  2 +-
 test/javascripts/widgets/post-test.js.es6              | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/widgets/post-menu.js.es6 b/app/assets/javascripts/discourse/widgets/post-menu.js.es6
index 0a1eaf0e167..bb18377c93a 100644
--- a/app/assets/javascripts/discourse/widgets/post-menu.js.es6
+++ b/app/assets/javascripts/discourse/widgets/post-menu.js.es6
@@ -109,7 +109,7 @@ registerButton("like-count", attrs => {
 });
 
 registerButton("flag", attrs => {
-  if (attrs.canFlag) {
+  if (attrs.canFlag && !attrs.hidden) {
     return {
       action: "showFlags",
       title: "post.controls.flag",
diff --git a/test/javascripts/widgets/post-test.js.es6 b/test/javascripts/widgets/post-test.js.es6
index 5c4ff36fd36..701606254b0 100644
--- a/test/javascripts/widgets/post-test.js.es6
+++ b/test/javascripts/widgets/post-test.js.es6
@@ -389,6 +389,16 @@ widgetTest(`flagging: can't flag`, {
   }
 });
 
+widgetTest(`flagging: can't flag when post is hidden`, {
+  template: '{{mount-widget widget="post" args=args}}',
+  beforeEach() {
+    this.set("args", { canFlag: true, hidden: true });
+  },
+  test(assert) {
+    assert.ok(this.$("button.create-flag").length === 0);
+  }
+});
+
 widgetTest(`read indicator`, {
   template: '{{mount-widget widget="post" args=args}}',
   beforeEach() {

From 7b3432f711511284b573bb9d3a7c932a126f330e Mon Sep 17 00:00:00 2001
From: Penar Musaraj <pmusaraj@gmail.com>
Date: Mon, 5 Nov 2018 10:00:59 -0500
Subject: [PATCH 2/2] Enforce disabling flagging hidden posts server-side

---
 lib/guardian/post_guardian.rb    | 3 +++
 spec/components/guardian_spec.rb | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb
index dd7504fa70d..d30db1972d6 100644
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@@ -40,6 +40,9 @@ module PostGuardian
       # Silenced users can't flag
       return false if is_flag && @user.silenced?
 
+      # Hidden posts can't be flagged
+      return false if is_flag && post.hidden?
+
       # post made by staff, but we don't allow staff flags
       return false if is_flag &&
         (!SiteSetting.allow_flagging_staff?) &&
diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb
index 5a05341928c..9f9da726038 100644
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@@ -116,6 +116,11 @@ describe Guardian do
       expect(Guardian.new(user).post_can_act?(post, :spam)).to be_truthy
     end
 
+    it "does not allow flagging of hidden posts" do
+      post.hidden = true
+      expect(Guardian.new(user).post_can_act?(post, :spam)).to be_falsey
+    end
+
     it "allows flagging of staff posts when allow_flagging_staff is true" do
       SiteSetting.allow_flagging_staff = true
       staff_post = Fabricate(:post, user: Fabricate(:moderator))