From 47ecf034a7b7014e48138f5ec1e68a0422c8d060 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Tue, 21 Mar 2017 17:09:56 -0500
Subject: [PATCH 1/3] /posts/:id/events - fix exception when viewed by mod.

    NoMethodError exception raised

    undefined method `creator' for #<PostEvent:0x007f9a298e64d8> Did you mean? creator_id
    app/views/post_events/index.html.erb:23:in `block in _app_views_post_events_index_html_erb__2088986421112502721_70150054247640'
    app/views/post_events/index.html.erb:18:in `each'
    app/views/post_events/index.html.erb:18:in `_app_views_post_events_index_html_erb__2088986421112502721_70150054247640'
    app/controllers/post_events_controller.rb:6:in `index'
---
 app/models/post_event.rb                       | 2 +-
 test/functional/post_events_controller_test.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/models/post_event.rb b/app/models/post_event.rb
index d2159954c..39d7529a8 100644
--- a/app/models/post_event.rb
+++ b/app/models/post_event.rb
@@ -4,7 +4,7 @@ class PostEvent
   include ActiveModel::Serializers::Xml
 
   attr_accessor :event
-  delegate :creator_id, :reason, :is_resolved, :created_at, to: :event
+  delegate :creator, :creator_id, :reason, :is_resolved, :created_at, to: :event
 
   def self.find_for_post(post_id)
     post = Post.find(post_id)
diff --git a/test/functional/post_events_controller_test.rb b/test/functional/post_events_controller_test.rb
index 3173811a4..0129198b2 100644
--- a/test/functional/post_events_controller_test.rb
+++ b/test/functional/post_events_controller_test.rb
@@ -25,6 +25,11 @@ class PostEventsControllerTest < ActionController::TestCase
       get :index, {:post_id => @post.id}, {:user_id => CurrentUser.user.id}
       assert_response :ok      
     end
+
+    should "render for mods" do
+      get :index, {:post_id => @post.id}, {:user_id => FactoryGirl.create(:moderator_user).id }
+      assert_response :success
+    end
   end
 
   context "GET /posts/:post_id/events.xml" do

From 2aa3f9ceba8adaa3cc38bd0ff2f21c6727b97b7a Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Tue, 21 Mar 2017 17:11:53 -0500
Subject: [PATCH 2/3] /moderator/dashboard: fix exception when PostArchive
 isn't enabled.

    NoMethodError exception raised

    undefined method `each' for nil:NilClass
    app/views/moderator/dashboards/_activity_tag.html.erb:10:in `_app_views_moderator_dashboards__activity_tag_html_erb__4366063041301266690_47304449138520'
    app/views/moderator/dashboards/show.html.erb:10:in `_app_views_moderator_dashboards_show_html_erb___734721021521262965_47304462731220'
---
 app/logical/moderator/dashboard/queries/tag.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/logical/moderator/dashboard/queries/tag.rb b/app/logical/moderator/dashboard/queries/tag.rb
index 72999326a..f87434fac 100644
--- a/app/logical/moderator/dashboard/queries/tag.rb
+++ b/app/logical/moderator/dashboard/queries/tag.rb
@@ -5,7 +5,7 @@ module Moderator
         attr_reader :user, :count
 
         def self.all(min_date, max_level)
-          return unless PostArchive.enabled?
+          return [] unless PostArchive.enabled?
 
           records = PostArchive.where("updated_at > ?", min_date).group(:updater).count.map do |user, count|
             new(user, count)

From d1debecd0bb8b7ad1837be342923be587209bcc6 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Tue, 21 Mar 2017 17:15:58 -0500
Subject: [PATCH 3/3] Fix XSS in post thumbnail data attributes.

---
 app/presenters/post_presenter.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/presenters/post_presenter.rb b/app/presenters/post_presenter.rb
index f305e4eb9..6290bef43 100644
--- a/app/presenters/post_presenter.rb
+++ b/app/presenters/post_presenter.rb
@@ -88,8 +88,8 @@ class PostPresenter < Presenter
       data-file-url="#{post.file_url}"
       data-large-file-url="#{post.large_file_url}"
       data-preview-file-url="#{post.preview_file_url}"
-      data-source="#{post.source}"
-      data-normalized-source="#{post.normalized_source}"
+      data-source="#{h(post.source}"
+      data-normalized-source="#{h(post.normalized_source)}"
     }.html_safe
   end