SECURITY: Unread post notifications should respect whispers

2015-10-19 16:31:48 -04:00 · 2015-10-19 16:31:48 -04:00 · eacd75bcf8
parent 32bc9a8f93
commit eacd75bcf8
2 changed files with 16 additions and 1 deletions
--- a/app/services/post_alerter.rb
+++ b/app/services/post_alerter.rb
@ -51,7 +51,8 @@ class PostAlerter
  end

  def unread_posts(user, topic)
-    Post.where('post_number > COALESCE((
+    Post.secured(Guardian.new(user))
+        .where('post_number > COALESCE((
               SELECT last_read_post_number FROM topic_users tu
               WHERE tu.user_id = ? AND tu.topic_id = ? ),0)',
                user.id, topic.id)
--- a/spec/services/post_alerter_spec.rb
+++ b/spec/services/post_alerter_spec.rb
@ -9,6 +9,20 @@ describe PostAlerter do
    PostAlerter.post_created(post)
  end

+  context "unread" do
+    it "does not return whispers as unread posts" do
+      op = Fabricate(:post)
+      whisper = Fabricate(:post, raw: 'this is a whisper post',
+                                 user: Fabricate(:admin),
+                                 topic: op.topic,
+                                 reply_to_post_number: op.post_number,
+                                 post_type: Post.types[:whisper])
+
+
+      expect(PostAlerter.new.first_unread_post(op.user, op.topic)).to be_blank
+    end
+  end
+
  context 'likes' do
    it 'does not double notify users on likes' do
      ActiveRecord::Base.observers.enable :all