fixes #1827

- set default statement to block access
- added tests to confirm all scenarios work as intended

framework/core/src/Post/PostPolicy.php

@@ -99,6 +99,7 @@ class PostPolicy extends AbstractPolicy
                             ->from('discussions')
                             ->whereColumn('discussions.id', 'posts.discussion_id')
                             ->where(function ($query) use ($actor) {
+                                $query->whereRaw('1=0');
                                 $this->events->dispatch(
                                     new ScopeModelVisibility(Discussion::query()->setQuery($query), $actor, 'hidePosts')
                                 );

framework/core/tests/integration/api/Controller/ShowDiscussionControllerTest.php

@@ -14,7 +14,10 @@ namespace Flarum\Tests\integration\api\Controller;
 use Carbon\Carbon;
 use Flarum\Api\Controller\ShowDiscussionController;
 use Flarum\Discussion\Discussion;
+use Flarum\Event\ScopeModelVisibility;
 use Flarum\User\User;
+use Illuminate\Contracts\Events\Dispatcher;
+use Illuminate\Support\Arr;
 
 class ShowDiscussionControllerTest extends ApiControllerTestCase
 {
@@ -34,9 +37,11 @@ class ShowDiscussionControllerTest extends ApiControllerTestCase
                 ['id' => 1, 'title' => 'Empty discussion', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => null, 'comment_count' => 0, 'is_private' => 0],
                 ['id' => 2, 'title' => 'Discussion with post', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => 1, 'comment_count' => 1, 'is_private' => 0],
                 ['id' => 3, 'title' => 'Private discussion', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => null, 'comment_count' => 0, 'is_private' => 1],
+                ['id' => 4, 'title' => 'Discussion with hidden post', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => 2, 'comment_count' => 1, 'is_private' => 0],
             ],
             'posts' => [
                 ['id' => 1, 'discussion_id' => 2, 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'type' => 'comment', 'content' => '<t><p>a normal reply - too-obscure</p></t>'],
+                ['id' => 2, 'discussion_id' => 4, 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'type' => 'comment', 'content' => '<t><p>a hidden reply - too-obscure</p></t>', 'hidden_at' => Carbon::now()->toDateTimeString()],
             ],
             'users' => [
                 $this->normalUser(),
@@ -77,6 +82,51 @@ class ShowDiscussionControllerTest extends ApiControllerTestCase
         $this->assertEquals(404, $response->getStatusCode());
     }
 
+    /**
+     * @test
+     */
+    public function guest_cannot_see_hidden_posts()
+    {
+        $response = $this->callWith([], ['id' => 4]);
+
+        $json = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertNull(Arr::get($json, 'data.relationships.posts'));
+    }
+
+    /**
+     * @test
+     */
+    public function author_can_see_hidden_posts()
+    {
+        $this->actor = User::find(2);
+
+        $response = $this->callWith([], ['id' => 4]);
+
+        $json = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertEquals(2, Arr::get($json, 'data.relationships.posts.data.0.id'));
+    }
+
+    /**
+     * @test
+     */
+    public function when_allowed_guests_can_see_hidden_posts()
+    {
+        /** @var Dispatcher $events */
+        $events = app(Dispatcher::class);
+
+        $events->listen(ScopeModelVisibility::class, function (ScopeModelVisibility $event) {
+            $event->query->orWhereRaw('1=1');
+        });
+
+        $response = $this->callWith([], ['id' => 4]);
+
+        $json = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertEquals(2, Arr::get($json, 'data.relationships.posts.data.0.id'));
+    }
+
     /**
      * @test
      */