diff --git a/app/controllers/favorite_groups_controller.rb b/app/controllers/favorite_groups_controller.rb index 21b4afc0b..e56958e51 100644 --- a/app/controllers/favorite_groups_controller.rb +++ b/app/controllers/favorite_groups_controller.rb @@ -13,6 +13,7 @@ class FavoriteGroupsController < ApplicationController def show @favorite_group = FavoriteGroup.find(params[:id]) + check_read_privilege(@favorite_group) @post_set = PostSets::FavoriteGroup.new(@favorite_group, params[:page]) respond_with(@favorite_group) end @@ -37,13 +38,13 @@ class FavoriteGroupsController < ApplicationController def edit @favorite_group = FavoriteGroup.find(params[:id]) - check_privilege(@favorite_group) + check_write_privilege(@favorite_group) respond_with(@favorite_group) end def update @favorite_group = FavoriteGroup.find(params[:id]) - check_privilege(@favorite_group) + check_write_privilege(@favorite_group) @favorite_group.update_attributes(params[:favorite_group]) unless @favorite_group.errors.any? flash[:notice] = "Favorite group updated" @@ -53,7 +54,7 @@ class FavoriteGroupsController < ApplicationController def destroy @favorite_group = FavoriteGroup.find(params[:id]) - check_privilege(@favorite_group) + check_write_privilege(@favorite_group) @favorite_group.destroy flash[:notice] = "Favorite group deleted" redirect_to favorite_groups_path @@ -61,13 +62,17 @@ class FavoriteGroupsController < ApplicationController def add_post @favorite_group = FavoriteGroup.find(params[:id]) - check_privilege(@favorite_group) + check_write_privilege(@favorite_group) @post = Post.find(params[:post_id]) @favorite_group.add!(@post.id) end private - def check_privilege(favgroup) + def check_write_privilege(favgroup) raise User::PrivilegeError unless favgroup.editable_by?(CurrentUser.user) end + + def check_read_privilege(favgroup) + raise User::PrivilegeError unless favgroup.viewable_by?(CurrentUser.user) + end end diff --git a/app/logical/post_query_builder.rb b/app/logical/post_query_builder.rb index 75ba7f592..b1a24af42 100644 --- a/app/logical/post_query_builder.rb +++ b/app/logical/post_query_builder.rb @@ -400,12 +400,6 @@ class PostQueryBuilder if q[:ordfav].present? user_id = q[:ordfav].to_i - user = User.find(user_id) - - if user.hide_favorites? - raise User::PrivilegeError.new - end - relation = relation.joins("INNER JOIN favorites ON favorites.post_id = posts.id") relation = relation.where("favorites.user_id % 100 = ? and favorites.user_id = ?", user_id % 100, user_id).order("favorites.id DESC") end diff --git a/app/models/favorite_group.rb b/app/models/favorite_group.rb index 6b0e405dc..4e586afa8 100644 --- a/app/models/favorite_group.rb +++ b/app/models/favorite_group.rb @@ -241,4 +241,8 @@ class FavoriteGroup < ApplicationRecord def editable_by?(user) creator_id == user.id end + + def viewable_by?(user) + creator_id == user.id || !creator.hide_favorites? + end end diff --git a/app/models/tag.rb b/app/models/tag.rb index e49014db1..86e4a4278 100644 --- a/app/models/tag.rb +++ b/app/models/tag.rb @@ -609,22 +609,52 @@ class Tag < ApplicationRecord when "-favgroup" favgroup_id = FavoriteGroup.name_to_id(g2) + favgroup = FavoriteGroup.find(favgroup_id) + + if !favgroup.viewable_by?(CurrentUser.user) + raise User::PrivilegeError.new + end + q[:favgroups_neg] ||= [] q[:favgroups_neg] << favgroup_id when "favgroup" favgroup_id = FavoriteGroup.name_to_id(g2) + favgroup = FavoriteGroup.find(favgroup_id) + + if !favgroup.viewable_by?(CurrentUser.user) + raise User::PrivilegeError.new + end + q[:favgroups] ||= [] q[:favgroups] << favgroup_id when "-fav" + favuser = User.find_by_name(g2) + + if favuser.hide_favorites? + raise User::PrivilegeError.new + end + q[:tags][:exclude] << "fav:#{User.name_to_id(g2)}" when "fav" + favuser = User.find_by_name(g2) + + if favuser.hide_favorites? + raise User::PrivilegeError.new + end + q[:tags][:related] << "fav:#{User.name_to_id(g2)}" when "ordfav" user_id = User.name_to_id(g2) + favuser = User.find(user_id) + + if favuser.hide_favorites? + raise User::PrivilegeError.new + end + q[:tags][:related] << "fav:#{user_id}" q[:ordfav] = user_id