FIX: Moderators shouldn't be able to see secure deleted posts
This commit is contained in:
parent
627bd08477
commit
db4c04d606
|
@ -335,7 +335,7 @@ class PostsController < ApplicationController
|
||||||
offset = [params[:offset].to_i, 0].max
|
offset = [params[:offset].to_i, 0].max
|
||||||
limit = [(params[:limit] || 60).to_i, 100].min
|
limit = [(params[:limit] || 60).to_i, 100].min
|
||||||
|
|
||||||
posts = user_posts(user.id, offset, limit)
|
posts = user_posts(guardian, user.id, offset: offset, limit: limit)
|
||||||
.where(id: PostAction.where(post_action_type_id: PostActionType.notify_flag_type_ids)
|
.where(id: PostAction.where(post_action_type_id: PostActionType.notify_flag_type_ids)
|
||||||
.where(disagreed_at: nil)
|
.where(disagreed_at: nil)
|
||||||
.select(:post_id))
|
.select(:post_id))
|
||||||
|
@ -351,7 +351,7 @@ class PostsController < ApplicationController
|
||||||
offset = [params[:offset].to_i, 0].max
|
offset = [params[:offset].to_i, 0].max
|
||||||
limit = [(params[:limit] || 60).to_i, 100].min
|
limit = [(params[:limit] || 60).to_i, 100].min
|
||||||
|
|
||||||
posts = user_posts(user.id, offset, limit).where.not(deleted_at: nil)
|
posts = user_posts(guardian, user.id, offset: offset, limit: limit).where.not(deleted_at: nil)
|
||||||
|
|
||||||
render_serialized(posts, AdminPostSerializer)
|
render_serialized(posts, AdminPostSerializer)
|
||||||
end
|
end
|
||||||
|
@ -389,13 +389,26 @@ class PostsController < ApplicationController
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def user_posts(user_id, offset=0, limit=60)
|
def user_posts(guardian, user_id, opts)
|
||||||
Post.includes(:user, :topic, :deleted_by, :user_actions)
|
posts = Post.includes(:user, :topic, :deleted_by, :user_actions)
|
||||||
.with_deleted
|
|
||||||
.where(user_id: user_id)
|
.where(user_id: user_id)
|
||||||
|
.with_deleted
|
||||||
.order(created_at: :desc)
|
.order(created_at: :desc)
|
||||||
.offset(offset)
|
|
||||||
.limit(limit)
|
if guardian.user.moderator?
|
||||||
|
|
||||||
|
# Awful hack, but you can't seem to remove the `default_scope` when joining
|
||||||
|
# So instead I grab the topics separately
|
||||||
|
topic_ids = posts.dup.pluck(:topic_id)
|
||||||
|
secured_category_ids = guardian.secure_category_ids
|
||||||
|
topics = Topic.where(id: topic_ids).with_deleted.where.not(archetype: 'private_message')
|
||||||
|
topics = topics.secured(guardian)
|
||||||
|
|
||||||
|
posts = posts.where(topic_id: topics.pluck(:id))
|
||||||
|
end
|
||||||
|
|
||||||
|
posts.offset(opts[:offset])
|
||||||
|
.limit(opts[:limit])
|
||||||
end
|
end
|
||||||
|
|
||||||
def params_key(params)
|
def params_key(params)
|
||||||
|
|
|
@ -774,6 +774,43 @@ describe PostsController do
|
||||||
expect(response).to be_success
|
expect(response).to be_success
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "doesn't return secured categories for moderators if they don't have access" do
|
||||||
|
user = Fabricate(:user)
|
||||||
|
admin = Fabricate(:admin)
|
||||||
|
moderator = Fabricate(:moderator)
|
||||||
|
|
||||||
|
group = Fabricate(:group)
|
||||||
|
group.add(user)
|
||||||
|
group.appoint_manager(user)
|
||||||
|
|
||||||
|
secured_category = Fabricate(:private_category, group: group)
|
||||||
|
secured_post = create_post(user: user, category: secured_category)
|
||||||
|
PostDestroyer.new(admin, secured_post).destroy
|
||||||
|
|
||||||
|
log_in(:moderator)
|
||||||
|
xhr :get, :deleted_posts, username: user.username
|
||||||
|
expect(response).to be_success
|
||||||
|
|
||||||
|
data = JSON.parse(response.body)
|
||||||
|
expect(data.length).to eq(0)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "doesn't return PMs for moderators" do
|
||||||
|
user = Fabricate(:user)
|
||||||
|
admin = Fabricate(:admin)
|
||||||
|
moderator = Fabricate(:moderator)
|
||||||
|
|
||||||
|
pm_post = create_post(user: user, archetype: 'private_message', target_usernames: [admin.username])
|
||||||
|
PostDestroyer.new(admin, pm_post).destroy
|
||||||
|
|
||||||
|
log_in(:moderator)
|
||||||
|
xhr :get, :deleted_posts, username: user.username
|
||||||
|
expect(response).to be_success
|
||||||
|
|
||||||
|
data = JSON.parse(response.body)
|
||||||
|
expect(data.length).to eq(0)
|
||||||
|
end
|
||||||
|
|
||||||
it "only shows posts deleted by other users" do
|
it "only shows posts deleted by other users" do
|
||||||
user = Fabricate(:user)
|
user = Fabricate(:user)
|
||||||
admin = Fabricate(:admin)
|
admin = Fabricate(:admin)
|
||||||
|
|
|
@ -22,6 +22,6 @@ Fabricator(:private_category, from: :category) do
|
||||||
user
|
user
|
||||||
after_build do |cat, transients|
|
after_build do |cat, transients|
|
||||||
cat.update!(read_restricted: true)
|
cat.update!(read_restricted: true)
|
||||||
cat.category_groups.build(group_id: transients[:group].id, permission_type: :full)
|
cat.category_groups.build(group_id: transients[:group].id, permission_type: CategoryGroup.permission_types[:full])
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue