/comments.atom: fix restricted posts being leaked.

Fix thumbnail URLs of loli/shota/banned posts being leaked in
/comments.atom. Restricted posts are now entirely hidden in
/comments.atom.

Example: https://danbooru.donmai.us/comments.atom?search[post_id]=2.

app/controllers/comments_controller.rb

@@ -97,6 +97,7 @@ class CommentsController < ApplicationController
 
     if request.format.atom?
       @comments = @comments.includes(:creator, :post)
+      @comments = @comments.select { |comment| comment.post.visible? }
     elsif request.format.html?
       @comments = @comments.includes(:creator, :updater, post: :uploader)
       @comments = @comments.includes(:votes) if CurrentUser.is_member?

test/functional/comments_controller_test.rb

@@ -93,9 +93,21 @@ class CommentsControllerTest < ActionDispatch::IntegrationTest
         assert_response :success
       end
 
-      should "render for atom feeds" do
+      context "for atom feeds" do
-        get comments_path(format: "atom")
+        should "render" do
-        assert_response :success
+          @comment = as(@user) { create(:comment, post: @post) }
+          get comments_path(format: "atom")
+          assert_response :success
+        end
+
+        should "not show comments on restricted posts" do
+          @post.update!(is_banned: true)
+          @comment = as(@user) { create(:comment, post: @post) }
+
+          get comments_path(format: "atom")
+          assert_response :success
+          assert_equal(0, response.parsed_body.css("entry").size)
+        end
       end
     end
 

test/test_helper.rb

@@ -64,6 +64,7 @@ class ActionDispatch::IntegrationTest
   extend ControllerHelper
 
   register_encoder :xml, response_parser: ->(body) { Nokogiri.XML(body) }
+  register_encoder :atom, response_parser: ->(body) { Nokogiri.XML(body) }
   register_encoder :html, response_parser: ->(body) { Nokogiri.HTML5(body) }
 
   def method_authenticated(method_name, url, user, **options)