From d82a73feed3ccb9736280628195c2cab7d297141 Mon Sep 17 00:00:00 2001
From: Sami Mazouz <ilyasmazouz@gmail.com>
Date: Thu, 7 Jul 2022 23:02:40 +0100
Subject: [PATCH] fix(approval): unapproved posts visible to all when no
 visibility scopers are added

Signed-off-by: Sami Mazouz <ilyasmazouz@gmail.com>
---
 .../src/Access/ScopePrivatePostVisibility.php      | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/extensions/approval/src/Access/ScopePrivatePostVisibility.php b/extensions/approval/src/Access/ScopePrivatePostVisibility.php
index 070cb744f..e276bdf43 100644
--- a/extensions/approval/src/Access/ScopePrivatePostVisibility.php
+++ b/extensions/approval/src/Access/ScopePrivatePostVisibility.php
@@ -9,6 +9,7 @@
 
 namespace Flarum\Approval\Access;
 
+use Closure;
 use Flarum\Discussion\Discussion;
 use Flarum\User\User;
 use Illuminate\Database\Eloquent\Builder;
@@ -39,14 +40,23 @@ class ScopePrivatePostVisibility
         });
     }
 
-    private function discussionWhereCanApprovePosts(User $actor)
+    /**
+     * Looks if the actor has permission to approve posts,
+     * within the discussion which the post is a part of.
+     *
+     * For example, the tags extension,
+     * turns the `approvePosts` ability into per tag basis.
+     */
+    private function discussionWhereCanApprovePosts(User $actor): Closure
     {
         return function ($query) use ($actor) {
             $query->selectRaw('1')
                 ->from('discussions')
                 ->whereColumn('discussions.id', 'posts.discussion_id')
                 ->where(function ($query) use ($actor) {
-                    Discussion::query()->setQuery($query)->whereVisibleTo($actor, 'approvePosts');
+                    $query->whereRaw('1 != 1')->orWhere(function ($query) use ($actor) {
+                        Discussion::query()->setQuery($query)->whereVisibleTo($actor, 'approvePosts');
+                    });
                 });
         };
     }