mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-08-06 08:27:42 +02:00
Code Issues Releases Wiki Activity

fix: prevent users from seeing their own flags (#4167)

Browse Source
This commit is contained in:
Sami Mazouz
2025-01-31 09:12:12 +01:00
committed by GitHub
parent 670aa2e236
commit cf7ef48906
4 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
extensions/flags/src/Access/ScopeFlagVisibility.php
View File

@@ -37,10 +37,8 @@ class ScopeFlagVisibility
if ($actor->hasPermission('discussion.viewFlags')) { if ($actor->hasPermission('discussion.viewFlags')) {
$query->orWhereDoesntHave('post.discussion.tags'); $query->orWhereDoesntHave('post.discussion.tags');
} }
} } elseif (! $actor->hasPermission('discussion.viewFlags')) {
$query->whereRaw('1 = 0');
if (! $actor->hasPermission('discussion.viewFlags')) {
$query->orWhere('flags.user_id', $actor->id);
} }
}); });
} }

4
extensions/flags/tests/integration/api/flags/ListTest.php
View File

@@ -96,7 +96,7 @@ class ListTest extends TestCase
} }
#[Test] #[Test]
public function regular_user_sees_own_flags_of_visible_posts() public function regular_user_does_not_see_own_flags_of_visible_posts()
{ {
$response = $this->send( $response = $this->send(
$this->request('GET', '/api/flags', [ $this->request('GET', '/api/flags', [
@@ -109,7 +109,7 @@ class ListTest extends TestCase
$data = json_decode($response->getBody()->getContents(), true)['data']; $data = json_decode($response->getBody()->getContents(), true)['data'];
$ids = Arr::pluck($data, 'id'); $ids = Arr::pluck($data, 'id');
$this->assertEqualsCanonicalizing(['2', '4'], $ids); $this->assertEqualsCanonicalizing([], $ids);
} }
#[Test] #[Test]

4
extensions/flags/tests/integration/api/flags/ListWithTagsTest.php
View File

@@ -122,7 +122,7 @@ class ListWithTagsTest extends TestCase
} }
#[Test] #[Test]
public function regular_user_sees_own_flags() public function regular_user_does_not_see_own_flags()
{ {
$response = $this->send( $response = $this->send(
$this->request('GET', '/api/flags', [ $this->request('GET', '/api/flags', [
@@ -135,7 +135,7 @@ class ListWithTagsTest extends TestCase
$data = json_decode($response->getBody()->getContents(), true)['data']; $data = json_decode($response->getBody()->getContents(), true)['data'];
$ids = Arr::pluck($data, 'id'); $ids = Arr::pluck($data, 'id');
$this->assertEqualsCanonicalizing(['2', '4'], $ids); $this->assertEqualsCanonicalizing([], $ids);
} }
#[Test] #[Test]

2
extensions/flags/tests/integration/api/posts/IncludeFlagsVisibilityTest.php
View File

@@ -144,7 +144,7 @@ class IncludeFlagsVisibilityTest extends TestCase
'user_with_general_permission_sees_where_unrestricted_tag' => [2, [6, 7, 8]], 'user_with_general_permission_sees_where_unrestricted_tag' => [2, [6, 7, 8]],
'user_with_tag1_permission_sees_tag1_flags' => [3, [1, 2, 3, 4, 5]], 'user_with_tag1_permission_sees_tag1_flags' => [3, [1, 2, 3, 4, 5]],
'normal_user_sees_none' => [4, []], 'normal_user_sees_none' => [4, []],
'normal_user_sees_own' => [5, [2, 7, 4, 8]], 'normal_user_does_not_see_own' => [5, []],
]; ];
} }
} }