From 25978ca7544c47a0342288bce51b9de6eee1eb27 Mon Sep 17 00:00:00 2001 From: evazion Date: Fri, 2 Dec 2022 14:44:24 -0600 Subject: [PATCH] Fix #5317: Don't allow users to flag posts they can't see. A couple non-obvious consequences: * Users can't flag non-rating:G posts in safe mode. * Non-Gold users can flag Gold-only posts if they're the uploader. --- app/models/post_flag.rb | 1 + test/functional/post_flags_controller_test.rb | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/app/models/post_flag.rb b/app/models/post_flag.rb index 15f72bd86..10ad3bc2c 100644 --- a/app/models/post_flag.rb +++ b/app/models/post_flag.rb @@ -87,6 +87,7 @@ class PostFlag < ApplicationRecord errors.add(:post, "is pending and cannot be flagged") if post.is_pending? && !is_deletion errors.add(:post, "is deleted and cannot be flagged") if post.is_deleted? && creator != User.system # DanbooruBot is allowed to prune expired appeals errors.add(:post, "is already flagged") if post.is_flagged? && !is_deletion + errors.add(:post, "cannot be flagged") if !post.visible?(creator) flag = post.flags.in_cooldown.last if !is_deletion && !creator.is_approver? && flag.present? diff --git a/test/functional/post_flags_controller_test.rb b/test/functional/post_flags_controller_test.rb index 8e8826b36..93d292ddf 100644 --- a/test/functional/post_flags_controller_test.rb +++ b/test/functional/post_flags_controller_test.rb @@ -155,6 +155,16 @@ class PostFlagsControllerTest < ActionDispatch::IntegrationTest assert_equal(true, @post.reload.is_deleted?) assert_equal(0, @post.flags.count) end + + should "not allow flagging a post that is not visible to the user" do + @post = create(:post, is_banned: true) + post_auth post_flags_path, @flagger, params: { post_flag: { post_id: @post.id, reason: "xxx" }}, as: :javascript + + assert_response :success + assert_equal(false, @post.reload.is_flagged?) + assert_equal(0, @post.flags.count) + end + end context "edit action" do