From 797936d2c5839f1c2a5dd8effe130e87261cd15d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Thu, 14 Sep 2017 20:08:16 +0200
Subject: [PATCH] FIX: don't leak whisper count in user card

---
 app/controllers/users_controller.rb       |  2 +-
 app/models/post.rb                        |  6 ++---
 lib/topic_view.rb                         |  6 ++---
 spec/controllers/users_controller_spec.rb | 27 +++++++++++++++++++++++
 4 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 8c35efe7ab3..6a703c6aae4 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -50,7 +50,7 @@ class UsersController < ApplicationController
 
     topic_id = params[:include_post_count_for].to_i
     if topic_id != 0
-      user_serializer.topic_post_count = { topic_id => Post.where(topic_id: topic_id, user_id: @user.id).count }
+      user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count }
     end
 
     if !params[:skip_track_visit] && (@user != current_user)
diff --git a/app/models/post.rb b/app/models/post.rb
index 57a2af64481..0ddedf7f17e 100644
--- a/app/models/post.rb
+++ b/app/models/post.rb
@@ -74,15 +74,15 @@ class Post < ActiveRecord::Base
                                               user_id: user.id)
   }
 
-  scope :by_newest, -> { order('created_at desc, id desc') }
+  scope :by_newest, -> { order('created_at DESC, id DESC') }
   scope :by_post_number, -> { order('post_number ASC') }
   scope :with_user, -> { includes(:user) }
-  scope :created_since, lambda { |time_ago| where('posts.created_at > ?', time_ago) }
+  scope :created_since, -> (time_ago) { where('posts.created_at > ?', time_ago) }
   scope :public_posts, -> { joins(:topic).where('topics.archetype <> ?', Archetype.private_message) }
   scope :private_posts, -> { joins(:topic).where('topics.archetype = ?', Archetype.private_message) }
   scope :with_topic_subtype, ->(subtype) { joins(:topic).where('topics.subtype = ?', subtype) }
   scope :visible, -> { joins(:topic).where('topics.visible = true').where(hidden: false) }
-  scope :secured, lambda { |guardian| where('posts.post_type in (?)', Topic.visible_post_types(guardian && guardian.user)) }
+  scope :secured, -> (guardian) { where('posts.post_type IN (?)', Topic.visible_post_types(guardian&.user)) }
   scope :for_mailing_list, ->(user, since) {
     q = created_since(since)
       .joins(:topic)
diff --git a/lib/topic_view.rb b/lib/topic_view.rb
index a1d8b311041..e4f68c604db 100644
--- a/lib/topic_view.rb
+++ b/lib/topic_view.rb
@@ -304,11 +304,11 @@ class TopicView
   end
 
   def links
-    @links ||= TopicLink.topic_map(guardian, @topic.id)
+    @links ||= TopicLink.topic_map(@guardian, @topic.id)
   end
 
   def link_counts
-    @link_counts ||= TopicLink.counts_for(guardian, @topic, posts)
+    @link_counts ||= TopicLink.counts_for(@guardian, @topic, posts)
   end
 
   # Are we the initial page load? If so, we can return extra information like
@@ -454,7 +454,7 @@ class TopicView
     if @topic.present? && @topic.private_message? && @user.blank?
       raise Discourse::NotLoggedIn.new
     end
-    raise Discourse::InvalidAccess.new("can't see #{@topic}", @topic) unless guardian.can_see?(@topic)
+    raise Discourse::InvalidAccess.new("can't see #{@topic}", @topic) unless @guardian.can_see?(@topic)
   end
 
   def get_minmax_ids(post_number)
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index d784a1aef89..3be442e947b 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -88,6 +88,33 @@ describe UsersController do
         end
       end
 
+      describe "include_post_count_for" do
+
+        let(:admin) { Fabricate(:admin) }
+        let(:topic) { Fabricate(:topic) }
+
+        before do
+          Fabricate(:post, user: user, topic: topic)
+          Fabricate(:post, user: admin, topic: topic)
+          Fabricate(:post, user: admin, topic: topic, post_type: Post.types[:whisper])
+        end
+
+        it "includes only visible posts" do
+          get :show, username: admin.username, include_post_count_for: topic.id, format: :json
+          topic_post_count = JSON.parse(response.body).dig("user", "topic_post_count")
+          expect(topic_post_count[topic.id.to_s]).to eq(1)
+        end
+
+        it "includes all post types for staff members" do
+          log_in_user(admin)
+
+          get :show, username: admin.username, include_post_count_for: topic.id, format: :json
+          topic_post_count = JSON.parse(response.body).dig("user", "topic_post_count")
+          expect(topic_post_count[topic.id.to_s]).to eq(2)
+        end
+
+      end
+
     end
 
   end