fix(subscriptions): post notifications not getting access checked

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
2025-08-12 03:14:33 +02:00 · 2023-01-10 15:04:02 +01:00
parent 02556c6ca6
commit e5f05166a0
3 changed files with 76 additions and 1 deletions
--- a/extensions/subscriptions/tests/integration/api/discussions/ReplyNotificationTest.php
+++ b/extensions/subscriptions/tests/integration/api/discussions/ReplyNotificationTest.php
@@ -10,7 +10,9 @@
 namespace Flarum\Subscriptions\tests\integration\api\discussions;

 use Carbon\Carbon;
+use Flarum\Extend\ModelVisibility;
 use Flarum\Group\Group;
+use Flarum\Post\Post;
 use Flarum\Testing\integration\RetrievesAuthorizedUsers;
 use Flarum\Testing\integration\TestCase;
 use Flarum\User\User;
@@ -278,4 +280,47 @@ class ReplyNotificationTest extends TestCase

        $this->assertEquals(1, $mainUser->getUnreadNotificationCount());
    }
+
+    /** @test */
+    public function replying_to_a_discussion_with_a_restricted_post_only_sends_notifications_to_allowed_users()
+    {
+        // Add visibility scoper to only allow admin
+        // to see expected new post with content containing 'restricted-test-post'.
+        $this->extend(
+            (new ModelVisibility(Post::class))
+                ->scope(function (User $actor, $query) {
+                    if (! $actor->isAdmin()) {
+                        $query->where('content', 'not like', '%restricted-test-post%');
+                    }
+                })
+        );
+
+        $this->app();
+
+        /** @var User $allowedUser */
+        $allowedUser = User::query()->find(1);
+        $normalUser = User::query()->find(2);
+
+        $this->assertEquals(0, $allowedUser->getUnreadNotificationCount());
+        $this->assertEquals(0, $normalUser->getUnreadNotificationCount());
+
+        $this->send(
+            $this->request('POST', '/api/posts', [
+                'authenticatedAs' => 3,
+                'json' => [
+                    'data' => [
+                        'attributes' => [
+                            'content' => 'restricted-test-post',
+                        ],
+                        'relationships' => [
+                            'discussion' => ['data' => ['id' => 1]],
+                        ],
+                    ],
+                ],
+            ])
+        );
+
+        $this->assertEquals(1, $allowedUser->getUnreadNotificationCount());
+        $this->assertEquals(0, $normalUser->getUnreadNotificationCount());
+    }
 }