Fix #5317: Don't allow users to flag posts they can't see.

A couple non-obvious consequences: * Users can't flag non-rating:G posts in safe mode. * Non-Gold users can flag Gold-only posts if they're the uploader.
2022-12-02 14:44:24 -06:00
parent e11cd288b9
commit 25978ca754
2 changed files with 11 additions and 0 deletions
--- a/app/models/post_flag.rb
+++ b/app/models/post_flag.rb
@@ -87,6 +87,7 @@ class PostFlag < ApplicationRecord
    errors.add(:post, "is pending and cannot be flagged") if post.is_pending? && !is_deletion
    errors.add(:post, "is deleted and cannot be flagged") if post.is_deleted? && creator != User.system # DanbooruBot is allowed to prune expired appeals
    errors.add(:post, "is already flagged") if post.is_flagged? && !is_deletion
+    errors.add(:post, "cannot be flagged") if !post.visible?(creator)

    flag = post.flags.in_cooldown.last
    if !is_deletion && !creator.is_approver? && flag.present?
--- a/test/functional/post_flags_controller_test.rb
+++ b/test/functional/post_flags_controller_test.rb
@@ -155,6 +155,16 @@ class PostFlagsControllerTest < ActionDispatch::IntegrationTest
        assert_equal(true, @post.reload.is_deleted?)
        assert_equal(0, @post.flags.count)
      end
+
+      should "not allow flagging a post that is not visible to the user" do
+        @post = create(:post, is_banned: true)
+        post_auth post_flags_path, @flagger, params: { post_flag: { post_id: @post.id, reason: "xxx" }}, as: :javascript
+
+        assert_response :success
+        assert_equal(false, @post.reload.is_flagged?)
+        assert_equal(0, @post.flags.count)
+      end
+
    end

    context "edit action" do