mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-06-06 22:55:11 +02:00
Code Issues Releases Wiki Activity

fixes #1827

Browse Source 
- set default statement to block access
- added tests to confirm all scenarios work as intended
This commit is contained in:
Daniël Klabbers 2019-07-29 13:22:10 +02:00 committed by Daniël Klabbers
parent 4f1adba387
commit b150636906
2 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/Post/PostPolicy.php
View File

@ -99,6 +99,7 @@ class PostPolicy extends AbstractPolicy
->from('discussions')
->whereColumn('discussions.id', 'posts.discussion_id')
->where(function ($query) use ($actor) {
$query->whereRaw('1=0');
$this->events->dispatch(
new ScopeModelVisibility(Discussion::query()->setQuery($query), $actor, 'hidePosts')
);

50
tests/integration/api/Controller/ShowDiscussionControllerTest.php
View File

@ -14,7 +14,10 @@ namespace Flarum\Tests\integration\api\Controller;
use Carbon\Carbon;
use Flarum\Api\Controller\ShowDiscussionController;
use Flarum\Discussion\Discussion;
use Flarum\Event\ScopeModelVisibility;
use Flarum\User\User;
use Illuminate\Contracts\Events\Dispatcher;
use Illuminate\Support\Arr;
class ShowDiscussionControllerTest extends ApiControllerTestCase
{
@ -34,9 +37,11 @@ class ShowDiscussionControllerTest extends ApiControllerTestCase
['id' => 1, 'title' => 'Empty discussion', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => null, 'comment_count' => 0, 'is_private' => 0],
['id' => 2, 'title' => 'Discussion with post', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => 1, 'comment_count' => 1, 'is_private' => 0],
['id' => 3, 'title' => 'Private discussion', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => null, 'comment_count' => 0, 'is_private' => 1],
['id' => 4, 'title' => 'Discussion with hidden post', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => 2, 'comment_count' => 1, 'is_private' => 0],
],
'posts' => [
['id' => 1, 'discussion_id' => 2, 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'type' => 'comment', 'content' => '<t><p>a normal reply - too-obscure</p></t>'],
['id' => 2, 'discussion_id' => 4, 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'type' => 'comment', 'content' => '<t><p>a hidden reply - too-obscure</p></t>', 'hidden_at' => Carbon::now()->toDateTimeString()],
],
'users' => [
$this->normalUser(),
@ -77,6 +82,51 @@ class ShowDiscussionControllerTest extends ApiControllerTestCase
$this->assertEquals(404, $response->getStatusCode());
}
/**
* @test
*/
public function guest_cannot_see_hidden_posts()
{
$response = $this->callWith([], ['id' => 4]);
$json = json_decode($response->getBody()->getContents(), true);
$this->assertNull(Arr::get($json, 'data.relationships.posts'));
}
/**
* @test
*/
public function author_can_see_hidden_posts()
{
$this->actor = User::find(2);
$response = $this->callWith([], ['id' => 4]);
$json = json_decode($response->getBody()->getContents(), true);
$this->assertEquals(2, Arr::get($json, 'data.relationships.posts.data.0.id'));
}
/**
* @test
*/
public function when_allowed_guests_can_see_hidden_posts()
{
/** @var Dispatcher $events */
$events = app(Dispatcher::class);
$events->listen(ScopeModelVisibility::class, function (ScopeModelVisibility $event) {
$event->query->orWhereRaw('1=1');
});
$response = $this->callWith([], ['id' => 4]);
$json = json_decode($response->getBody()->getContents(), true);
$this->assertEquals(2, Arr::get($json, 'data.relationships.posts.data.0.id'));
}
/**
* @test
*/