diff --git a/src/Post/PostPolicy.php b/src/Post/PostPolicy.php
index c0b1a28c3..46452eae4 100644
--- a/src/Post/PostPolicy.php
+++ b/src/Post/PostPolicy.php
@@ -99,6 +99,7 @@ class PostPolicy extends AbstractPolicy
->from('discussions')
->whereColumn('discussions.id', 'posts.discussion_id')
->where(function ($query) use ($actor) {
+ $query->whereRaw('1=0');
$this->events->dispatch(
new ScopeModelVisibility(Discussion::query()->setQuery($query), $actor, 'hidePosts')
);
diff --git a/tests/integration/api/Controller/ShowDiscussionControllerTest.php b/tests/integration/api/Controller/ShowDiscussionControllerTest.php
index db9da7c67..edda8999f 100644
--- a/tests/integration/api/Controller/ShowDiscussionControllerTest.php
+++ b/tests/integration/api/Controller/ShowDiscussionControllerTest.php
@@ -14,7 +14,10 @@ namespace Flarum\Tests\integration\api\Controller;
use Carbon\Carbon;
use Flarum\Api\Controller\ShowDiscussionController;
use Flarum\Discussion\Discussion;
+use Flarum\Event\ScopeModelVisibility;
use Flarum\User\User;
+use Illuminate\Contracts\Events\Dispatcher;
+use Illuminate\Support\Arr;
class ShowDiscussionControllerTest extends ApiControllerTestCase
{
@@ -34,9 +37,11 @@ class ShowDiscussionControllerTest extends ApiControllerTestCase
['id' => 1, 'title' => 'Empty discussion', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => null, 'comment_count' => 0, 'is_private' => 0],
['id' => 2, 'title' => 'Discussion with post', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => 1, 'comment_count' => 1, 'is_private' => 0],
['id' => 3, 'title' => 'Private discussion', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => null, 'comment_count' => 0, 'is_private' => 1],
+ ['id' => 4, 'title' => 'Discussion with hidden post', 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'first_post_id' => 2, 'comment_count' => 1, 'is_private' => 0],
],
'posts' => [
['id' => 1, 'discussion_id' => 2, 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'type' => 'comment', 'content' => 'a normal reply - too-obscure
'],
+ ['id' => 2, 'discussion_id' => 4, 'created_at' => Carbon::now()->toDateTimeString(), 'user_id' => 2, 'type' => 'comment', 'content' => 'a hidden reply - too-obscure
', 'hidden_at' => Carbon::now()->toDateTimeString()],
],
'users' => [
$this->normalUser(),
@@ -77,6 +82,51 @@ class ShowDiscussionControllerTest extends ApiControllerTestCase
$this->assertEquals(404, $response->getStatusCode());
}
+ /**
+ * @test
+ */
+ public function guest_cannot_see_hidden_posts()
+ {
+ $response = $this->callWith([], ['id' => 4]);
+
+ $json = json_decode($response->getBody()->getContents(), true);
+
+ $this->assertNull(Arr::get($json, 'data.relationships.posts'));
+ }
+
+ /**
+ * @test
+ */
+ public function author_can_see_hidden_posts()
+ {
+ $this->actor = User::find(2);
+
+ $response = $this->callWith([], ['id' => 4]);
+
+ $json = json_decode($response->getBody()->getContents(), true);
+
+ $this->assertEquals(2, Arr::get($json, 'data.relationships.posts.data.0.id'));
+ }
+
+ /**
+ * @test
+ */
+ public function when_allowed_guests_can_see_hidden_posts()
+ {
+ /** @var Dispatcher $events */
+ $events = app(Dispatcher::class);
+
+ $events->listen(ScopeModelVisibility::class, function (ScopeModelVisibility $event) {
+ $event->query->orWhereRaw('1=1');
+ });
+
+ $response = $this->callWith([], ['id' => 4]);
+
+ $json = json_decode($response->getBody()->getContents(), true);
+
+ $this->assertEquals(2, Arr::get($json, 'data.relationships.posts.data.0.id'));
+ }
+
/**
* @test
*/