From e2cd1da26d0a3f04701e17ce2becb76e53654861 Mon Sep 17 00:00:00 2001 From: Osama Sayegh Date: Mon, 23 Dec 2024 12:48:03 +0300 Subject: [PATCH] FIX: All admins should be allowed to see deleted PM posts regardless of their mod status (#30206) Admins and moderators can see a user's deleted posts via the `/u/:username/deleted-posts` route. Admins can always see any post on the site, but that's not always the case for moderators, e.g., they can't see all PMs. So, this route accounts for that and excludes posts that a moderator wouldn't be allowed to see if they were not deleted. However, there's currently a problem with that logic where admins who also have moderation privileges, are treated the same way as moderators and prevented from seeing posts that pure moderators can't see. This commit fixes that problem and only applies the permission checks to moderators who don't have admin privileges. Internal topic: t/143107. --- app/controllers/posts_controller.rb | 2 +- spec/requests/posts_controller_spec.rb | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb index d1ac78ecf15..96c3621f8b8 100644 --- a/app/controllers/posts_controller.rb +++ b/app/controllers/posts_controller.rb @@ -814,7 +814,7 @@ class PostsController < ApplicationController .order(created_at: :desc) end - if guardian.user.moderator? + if guardian.user.moderator? && !guardian.user.admin? # Awful hack, but you can't seem to remove the `default_scope` when joining # So instead I grab the topics separately topic_ids = posts.dup.pluck(:topic_id) diff --git a/spec/requests/posts_controller_spec.rb b/spec/requests/posts_controller_spec.rb index 439b3a1a39c..0791cfe1714 100644 --- a/spec/requests/posts_controller_spec.rb +++ b/spec/requests/posts_controller_spec.rb @@ -2492,6 +2492,21 @@ RSpec.describe PostsController do expect(data.length).to eq(0) end + it "returns PMs for admins who are also moderators" do + admin.update!(moderator: true) + + pm_post = Fabricate(:private_message_post) + PostDestroyer.new(admin, pm_post).destroy + + sign_in(admin) + + get "/posts/#{pm_post.user.username}/deleted.json" + + expect(response.status).to eq(200) + expect(response.parsed_body.size).to eq(1) + expect(response.parsed_body.first["id"]).to eq(pm_post.id) + end + it "only shows posts deleted by other users" do create_post(user: user) post_deleted_by_user = create_post(user: user)