jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix #5237: Deleted comments can be viewed by other users

Browse Source 
* Fix it so non-moderators can't search deleted comments using the
  `updater`, `body`, `score`, `do_not_bump_post`, or `is_sticky` fields.
  Searching for these fields will exclude deleted comments.

* Fix it so non-moderators can search for their own deleted comments using the
  `creator` field, but not for deleted comments belonging to other users.

* Fix it so that if a regular user searches `commenter:<username>`, they
  can only see posts with undeleted comments by that user. If a moderator or
  the commenter themselves searches `commenter:<username>`, they can see all
  posts the user has commented on, including posts with deleted comments.

* Fix it so the comment count on user profiles only counts visible
  comments. Regular users can only see the number of undeleted comments
  a user has, while moderators and the commenter themselves can see the
  total number of comments.

Known issue:

* It's still possible to order deleted comments by score, which can let
  you infer the score of deleted comments.
This commit is contained in:
evazion
2022-09-22 19:02:17 -05:00
parent 88ac91f5f3
commit a442658f8a
8 changed files with 88 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
test/unit/post_query_builder_test.rb
View File

@@ -476,6 +476,16 @@ class PostQueryBuilderTest < ActiveSupport::TestCase
assert_tag_match([posts[0]], "-commenter:#{users[1].name}")
end
should "return posts with deleted comments correctly for the commenter:<name> metatag" do
user = create(:user)
c1 = create(:comment, creator: user)
c2 = create(:comment, creator: user, is_deleted: true)
assert_tag_match([c1.post], "commenter:#{user.name}", current_user: User.anonymous)
assert_tag_match([c2.post, c1.post], "commenter:#{user.name}", current_user: user)
assert_tag_match([c2.post, c1.post], "commenter:#{user.name}", current_user: create(:mod_user))
end
should "return posts for the commenter:<any|none> metatag" do
posts = create_list(:post, 2)
create(:comment, creator: create(:user, created_at: 2.weeks.ago), post: posts[0], is_deleted: false)
@@ -1553,9 +1563,16 @@ class PostQueryBuilderTest < ActiveSupport::TestCase
should "cache the count separately for different users" do
@user = create(:user, enable_private_favorites: true)
@post = as(@user) { create(:post, tag_string: "fav:#{@user.name}") }
@comment = create(:comment, post: @post, creator: @user, is_deleted: true)
assert_equal(1, PostQuery.new("fav:#{@user.name}", current_user: @user).fast_count)
assert_equal(0, PostQuery.new("fav:#{@user.name}").fast_count)
assert_equal(1, PostQuery.new("commenter:#{@user.name}", current_user: @user).fast_count)
assert_equal(0, PostQuery.new("commenter:#{@user.name}").fast_count)
assert_equal(1, PostQuery.new("comm:#{@user.name}", current_user: @user).fast_count)
assert_equal(0, PostQuery.new("comm:#{@user.name}").fast_count)
end
end
end