From b4060778d921e96ab49ec3e7feec3e5b0e5e0a0f Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 2 Jun 2017 14:23:56 -0400 Subject: [PATCH] FIX: you should always be allowed to see actions you created --- .../post_action_users_controller.rb | 9 ++++++- .../post_action_users_controller_spec.rb | 25 ++++++++++++++++--- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/app/controllers/post_action_users_controller.rb b/app/controllers/post_action_users_controller.rb index 5ea95d3c329..e9e6c054805 100644 --- a/app/controllers/post_action_users_controller.rb +++ b/app/controllers/post_action_users_controller.rb @@ -11,12 +11,19 @@ class PostActionUsersController < ApplicationController post = finder.first guardian.ensure_can_see!(post) - guardian.ensure_can_see_post_actors!(post.topic, post_action_type_id) + post_actions = post.post_actions.where(post_action_type_id: post_action_type_id) .includes(:user) .order('post_actions.created_at asc') + if !guardian.can_see_post_actors?(post.topic, post_action_type_id) + if !current_user + raise Discourse::InvalidAccess + end + post_actions = post_actions.where(user_id: current_user.id) + end + render_serialized(post_actions.to_a, PostActionUserSerializer, root: 'post_action_users') end end diff --git a/spec/controllers/post_action_users_controller_spec.rb b/spec/controllers/post_action_users_controller_spec.rb index c915b5e5b55..121df7a1324 100644 --- a/spec/controllers/post_action_users_controller_spec.rb +++ b/spec/controllers/post_action_users_controller_spec.rb @@ -1,7 +1,25 @@ require 'rails_helper' describe PostActionUsersController do - let!(:post) { Fabricate(:post, user: log_in) } + let(:post) { Fabricate(:post, user: log_in) } + + context 'with render' do + render_views + it 'always allows you to see your own actions' do + notify_mod = PostActionType.types[:notify_moderators] + + PostAction.act(post.user, post, notify_mod, message: 'well something is wrong here!') + PostAction.act(Fabricate(:user), post, notify_mod, message: 'well something is not wrong here!') + + xhr :get, :index, id: post.id, post_action_type_id: notify_mod + expect(response.status).to eq(200) + json = JSON.parse(response.body) + users = json["post_action_users"] + + expect(users.length).to eq(1) + expect(users[0]["id"]).to eq(post.user.id) + end + end it 'raises an error without an id' do expect { @@ -21,9 +39,8 @@ describe PostActionUsersController do expect(response).to be_forbidden end - it 'raises an error when the post action type cannot be seen' do - Guardian.any_instance.expects(:can_see_post_actors?).with(instance_of(Topic), PostActionType.types[:like]).returns(false) - xhr :get, :index, id: post.id, post_action_type_id: PostActionType.types[:like] + it 'raises an error when anon tries to look at an invalid action' do + xhr :get, :index, id: Fabricate(:post).id, post_action_type_id: PostActionType.types[:notify_moderators] expect(response).to be_forbidden end