Fix #5237: Deleted comments can be viewed by other users

* Fix it so non-moderators can't search deleted comments using the `updater`, `body`, `score`, `do_not_bump_post`, or `is_sticky` fields. Searching for these fields will exclude deleted comments. * Fix it so non-moderators can search for their own deleted comments using the `creator` field, but not for deleted comments belonging to other users. * Fix it so that if a regular user searches `commenter:<username>`, they can only see posts with undeleted comments by that user. If a moderator or the commenter themselves searches `commenter:<username>`, they can see all posts the user has commented on, including posts with deleted comments. * Fix it so the comment count on user profiles only counts visible comments. Regular users can only see the number of undeleted comments a user has, while moderators and the commenter themselves can see the total number of comments. Known issue: * It's still possible to order deleted comments by score, which can let you infer the score of deleted comments.
2022-09-22 19:02:17 -05:00
parent 88ac91f5f3
commit a442658f8a
8 changed files with 88 additions and 23 deletions
--- a/test/functional/comments_controller_test.rb
+++ b/test/functional/comments_controller_test.rb
@@ -52,23 +52,56 @@ class CommentsControllerTest < ActionDispatch::IntegrationTest
      end

      context "grouped by comment" do
-        setup do
-          @user_comment = create(:comment, post: @post, score: 10, do_not_bump_post: true, creator: @user)
-          @mod_comment = create(:comment, post: build(:post, tag_string: "touhou"), body: "blah", is_sticky: true, creator: @mod)
-          @deleted_comment = create(:comment, is_deleted: true)
-        end
-
        should "render" do
+          create(:comment)
+
          get comments_path(group_by: "comment")
          assert_response :success
        end
+      end

-        should respond_to_search(other_params: {group_by: "comment"}).with { [@deleted_comment, @mod_comment, @user_comment] }
-        should respond_to_search(body_matches: "blah").with { @mod_comment }
-        should respond_to_search(score: 10).with { @user_comment }
-        should respond_to_search(is_sticky: "true").with { @mod_comment }
-        should respond_to_search(do_not_bump_post: "true").with { @user_comment }
-        should respond_to_search(is_deleted: "true").with { @deleted_comment }
+      context "searching" do
+        setup do
+          @user_comment = create(:comment, post: @post, score: 10, do_not_bump_post: true, creator: @user)
+          @mod_comment = create(:comment, post: build(:post, tag_string: "touhou"), body: "blah", is_sticky: true, creator: @mod)
+          @deleted_comment = create(:comment, creator: create(:user, name: "deleted"), is_deleted: true, is_sticky: true, do_not_bump_post: true, score: 10, body: "blah")
+        end
+
+        context "as a regular user" do
+          setup { CurrentUser.user = @user }
+
+          should respond_to_search(other_params: {group_by: "comment"}).with { [@deleted_comment, @mod_comment, @user_comment] }
+          should respond_to_search(body_matches: "blah").with { @mod_comment }
+          should respond_to_search(score: 10).with { @user_comment }
+          should respond_to_search(is_sticky: "true").with { @mod_comment }
+          should respond_to_search(is_deleted: "true").with { @deleted_comment }
+          should respond_to_search(do_not_bump_post: "true").with { @user_comment }
+          should respond_to_search(creator_name: "deleted").with { [] }
+        end
+
+        context "as the creator of a deleted comment" do
+          setup { CurrentUser.user = @deleted_comment.creator }
+
+          should respond_to_search(other_params: {group_by: "comment"}).with { [@deleted_comment, @mod_comment, @user_comment] }
+          should respond_to_search(body_matches: "blah").with { @mod_comment }
+          should respond_to_search(score: 10).with { @user_comment }
+          should respond_to_search(is_sticky: "true").with { @mod_comment }
+          should respond_to_search(is_deleted: "true").with { @deleted_comment }
+          should respond_to_search(do_not_bump_post: "true").with { @user_comment }
+          should respond_to_search(creator_name: "deleted").with { @deleted_comment }
+        end
+
+        context "as a moderator" do
+          setup { CurrentUser.user = @mod }
+
+          should respond_to_search(other_params: {group_by: "comment"}).with { [@deleted_comment, @mod_comment, @user_comment] }
+          should respond_to_search(body_matches: "blah").with { [@deleted_comment, @mod_comment] }
+          should respond_to_search(score: 10).with { [@deleted_comment, @user_comment] }
+          should respond_to_search(is_sticky: "true").with { [@deleted_comment, @mod_comment] }
+          should respond_to_search(is_deleted: "true").with { @deleted_comment }
+          should respond_to_search(do_not_bump_post: "true").with { [@deleted_comment, @user_comment] }
+          should respond_to_search(creator_name: "deleted").with { @deleted_comment }
+        end

        context "using includes" do
          should respond_to_search(post_id: 100).with { @user_comment }