From f0a573e1e576bde8ee391f85efa917d8370077b8 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sun, 5 Jul 2020 15:53:47 -0500
Subject: [PATCH] /comments.atom: fix restricted posts being leaked.

Fix thumbnail URLs of loli/shota/banned posts being leaked in
/comments.atom. Restricted posts are now entirely hidden in
/comments.atom.

Example: https://danbooru.donmai.us/comments.atom?search[post_id]=2.
---
 app/controllers/comments_controller.rb      |  1 +
 test/functional/comments_controller_test.rb | 18 +++++++++++++++---
 test/test_helper.rb                         |  1 +
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index d1b368514..06c186081 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -97,6 +97,7 @@ class CommentsController < ApplicationController
 
     if request.format.atom?
       @comments = @comments.includes(:creator, :post)
+      @comments = @comments.select { |comment| comment.post.visible? }
     elsif request.format.html?
       @comments = @comments.includes(:creator, :updater, post: :uploader)
       @comments = @comments.includes(:votes) if CurrentUser.is_member?
diff --git a/test/functional/comments_controller_test.rb b/test/functional/comments_controller_test.rb
index 43e8c2770..b0c74dbe5 100644
--- a/test/functional/comments_controller_test.rb
+++ b/test/functional/comments_controller_test.rb
@@ -93,9 +93,21 @@ class CommentsControllerTest < ActionDispatch::IntegrationTest
         assert_response :success
       end
 
-      should "render for atom feeds" do
-        get comments_path(format: "atom")
-        assert_response :success
+      context "for atom feeds" do
+        should "render" do
+          @comment = as(@user) { create(:comment, post: @post) }
+          get comments_path(format: "atom")
+          assert_response :success
+        end
+
+        should "not show comments on restricted posts" do
+          @post.update!(is_banned: true)
+          @comment = as(@user) { create(:comment, post: @post) }
+
+          get comments_path(format: "atom")
+          assert_response :success
+          assert_equal(0, response.parsed_body.css("entry").size)
+        end
       end
     end
 
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 6fed3f46b..0959a8ccd 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -64,6 +64,7 @@ class ActionDispatch::IntegrationTest
   extend ControllerHelper
 
   register_encoder :xml, response_parser: ->(body) { Nokogiri.XML(body) }
+  register_encoder :atom, response_parser: ->(body) { Nokogiri.XML(body) }
   register_encoder :html, response_parser: ->(body) { Nokogiri.HTML5(body) }
 
   def method_authenticated(method_name, url, user, **options)