SECURITY: only show user suggestions with regular post (#15436)

app/models/user_search.rb

@@ -83,7 +83,7 @@ class UserSearch
     # 2. in topic
     if @topic_id
       in_topic = filtered_by_term_users
-        .where('users.id IN (SELECT user_id FROM posts WHERE topic_id = ?)', @topic_id)
+        .where('users.id IN (SELECT user_id FROM posts WHERE topic_id = ? AND post_type = ?)', @topic_id, Post.types[:regular])
 
       if @searching_user.present?
         in_topic = in_topic.where('users.id <> ?', @searching_user.id)

spec/models/user_search_spec.rb

@@ -114,6 +114,7 @@ describe UserSearch do
     fab!(:post5) { Fabricate :post, user: mr_brown, topic: topic3 }
     fab!(:post6) { Fabricate :post, user: mr_white, topic: topic }
     fab!(:post7) { Fabricate :post, user: staged, topic: topic4 }
+    fab!(:post8) { Fabricate :post, user: mr_brown, topic: topic2, post_type: Post.types[:whisper] }
 
     before { mr_white.update(suspended_at: 1.day.ago, suspended_till: 1.year.from_now) }
 
@@ -170,6 +171,11 @@ describe UserSearch do
       expect(results).to eq [mr_b, mr_brown, mr_blue].map(&:username)
     end
 
+    it "does not reveal whisper users" do
+      results = search_for("", topic_id: topic2.id)
+      expect(results).to eq [mr_blue.username]
+    end
+
     it "only reveals topic participants to people with permission" do
       pm_topic = Fabricate(:private_message_post).topic