FIX: you should always be allowed to see actions you created

2025-02-25 18:55:32 -06:00 · 2017-06-02 14:23:56 -04:00 · 2017-06-02 14:23:56 -04:00 · b4060778d9
commit b4060778d9
parent 007873af3c
2 changed files with 29 additions and 5 deletions
--- a/app/controllers/post_action_users_controller.rb
+++ b/app/controllers/post_action_users_controller.rb
@ -11,12 +11,19 @@ class PostActionUsersController < ApplicationController

    post = finder.first
    guardian.ensure_can_see!(post)
-    guardian.ensure_can_see_post_actors!(post.topic, post_action_type_id)
+

    post_actions = post.post_actions.where(post_action_type_id: post_action_type_id)
                       .includes(:user)
                       .order('post_actions.created_at asc')

+    if !guardian.can_see_post_actors?(post.topic, post_action_type_id)
+      if !current_user
+        raise Discourse::InvalidAccess
+      end
+      post_actions = post_actions.where(user_id: current_user.id)
+    end
+
    render_serialized(post_actions.to_a, PostActionUserSerializer, root: 'post_action_users')
  end
 end
--- a/spec/controllers/post_action_users_controller_spec.rb
+++ b/spec/controllers/post_action_users_controller_spec.rb
@ -1,7 +1,25 @@
 require 'rails_helper'

 describe PostActionUsersController do
-  let!(:post) { Fabricate(:post, user: log_in) }
+  let(:post) { Fabricate(:post, user: log_in) }
+
+  context 'with render' do
+    render_views
+    it 'always allows you to see your own actions' do
+      notify_mod = PostActionType.types[:notify_moderators]
+
+      PostAction.act(post.user, post, notify_mod, message: 'well something is wrong here!')
+      PostAction.act(Fabricate(:user), post, notify_mod, message: 'well something is not wrong here!')
+
+      xhr :get, :index, id: post.id, post_action_type_id: notify_mod
+      expect(response.status).to eq(200)
+      json = JSON.parse(response.body)
+      users = json["post_action_users"]
+
+      expect(users.length).to eq(1)
+      expect(users[0]["id"]).to eq(post.user.id)
+    end
+  end

  it 'raises an error without an id' do
    expect {
@ -21,9 +39,8 @@ describe PostActionUsersController do
    expect(response).to be_forbidden
  end

-  it 'raises an error when the post action type cannot be seen' do
-    Guardian.any_instance.expects(:can_see_post_actors?).with(instance_of(Topic), PostActionType.types[:like]).returns(false)
-    xhr :get, :index, id: post.id, post_action_type_id: PostActionType.types[:like]
+  it 'raises an error when anon tries to look at an invalid action' do
+    xhr :get, :index, id: Fabricate(:post).id, post_action_type_id: PostActionType.types[:notify_moderators]
    expect(response).to be_forbidden
  end