jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix #5237: Deleted comments can be viewed by other users

Browse Source 
* Fix it so non-moderators can't search deleted comments using the
  `updater`, `body`, `score`, `do_not_bump_post`, or `is_sticky` fields.
  Searching for these fields will exclude deleted comments.

* Fix it so non-moderators can search for their own deleted comments using the
  `creator` field, but not for deleted comments belonging to other users.

* Fix it so that if a regular user searches `commenter:<username>`, they
  can only see posts with undeleted comments by that user. If a moderator or
  the commenter themselves searches `commenter:<username>`, they can see all
  posts the user has commented on, including posts with deleted comments.

* Fix it so the comment count on user profiles only counts visible
  comments. Regular users can only see the number of undeleted comments
  a user has, while moderators and the commenter themselves can see the
  total number of comments.

Known issue:

* It's still possible to order deleted comments by score, which can let
  you infer the score of deleted comments.
This commit is contained in:
evazion
2022-09-22 19:02:17 -05:00
parent 88ac91f5f3
commit a442658f8a
8 changed files with 88 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/logical/post_query_builder.rb
View File

@@ -172,19 +172,19 @@ class PostQueryBuilder
when "flagger"
relation.flagger_matches(value, current_user)
when "appealer"
relation.user_subquery_matches(PostAppeal.unscoped, value)
relation.user_subquery_matches(PostAppeal.unscoped, value, current_user)
when "commenter", "comm"
relation.user_subquery_matches(Comment.unscoped, value)
relation.user_subquery_matches(Comment.unscoped, value, current_user)
when "commentaryupdater", "artcomm"
relation.user_subquery_matches(ArtistCommentaryVersion.unscoped, value, field: :updater)
relation.user_subquery_matches(ArtistCommentaryVersion.unscoped, value, current_user, field: :updater)
when "noter"
relation.user_subquery_matches(NoteVersion.unscoped.where(version: 1), value, field: :updater)
relation.user_subquery_matches(NoteVersion.unscoped.where(version: 1), value, current_user, field: :updater)
when "noteupdater"
relation.user_subquery_matches(NoteVersion.unscoped, value, field: :updater)
relation.user_subquery_matches(NoteVersion.unscoped, value, current_user, field: :updater)
when "upvoter", "upvote"
relation.user_subquery_matches(PostVote.active.positive.visible(current_user), value, field: :user)
relation.user_subquery_matches(PostVote.active.positive.visible(current_user), value, current_user, field: :user)
when "downvoter", "downvote"
relation.user_subquery_matches(PostVote.active.negative.visible(current_user), value, field: :user)
relation.user_subquery_matches(PostVote.active.negative.visible(current_user), value, current_user, field: :user)
when "random"
relation # handled in the `build` method
when *CATEGORY_COUNT_METATAGS