From 26c168bdcd5fe68b7dd732798dff05ad6cac7b60 Mon Sep 17 00:00:00 2001
From: BrokenEagle <BrokenEagle98@gmail.com>
Date: Mon, 18 Dec 2017 11:59:27 -0800
Subject: [PATCH 1/2] Fixed incorrect showing of favorites - Moved all favorite
 checking logic to same file

---
 app/logical/post_query_builder.rb |  6 ------
 app/models/tag.rb                 | 18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/app/logical/post_query_builder.rb b/app/logical/post_query_builder.rb
index 75ba7f592..b1a24af42 100644
--- a/app/logical/post_query_builder.rb
+++ b/app/logical/post_query_builder.rb
@@ -400,12 +400,6 @@ class PostQueryBuilder
 
     if q[:ordfav].present?
       user_id = q[:ordfav].to_i
-      user = User.find(user_id)
-
-      if user.hide_favorites?
-        raise User::PrivilegeError.new
-      end
-
       relation = relation.joins("INNER JOIN favorites ON favorites.post_id = posts.id")
       relation = relation.where("favorites.user_id % 100 = ? and favorites.user_id = ?", user_id % 100, user_id).order("favorites.id DESC")
     end
diff --git a/app/models/tag.rb b/app/models/tag.rb
index 5f3a3fdc2..9e1c8cb4d 100644
--- a/app/models/tag.rb
+++ b/app/models/tag.rb
@@ -617,13 +617,31 @@ class Tag < ApplicationRecord
             q[:favgroups] << favgroup_id
 
           when "-fav"
+            favuser = User.find_by_name(g2)
+
+            if favuser.hide_favorites?
+              raise User::PrivilegeError.new
+            end
+
             q[:tags][:exclude] << "fav:#{User.name_to_id(g2)}"
 
           when "fav"
+            favuser = User.find_by_name(g2)
+
+            if favuser.hide_favorites?
+              raise User::PrivilegeError.new
+            end
+
             q[:tags][:related] << "fav:#{User.name_to_id(g2)}"
 
           when "ordfav"
             user_id = User.name_to_id(g2)
+            favuser = User.find(user_id)
+
+            if favuser.hide_favorites?
+              raise User::PrivilegeError.new
+            end
+
             q[:tags][:related] << "fav:#{user_id}"
             q[:ordfav] = user_id
 

From 3b1fdc8cdea2213432e086c4a8474a2c1bbc492b Mon Sep 17 00:00:00 2001
From: BrokenEagle <BrokenEagle98@gmail.com>
Date: Mon, 18 Dec 2017 12:16:20 -0800
Subject: [PATCH 2/2] Fixed incorrect showing of favorite groups

---
 app/controllers/favorite_groups_controller.rb | 15 ++++++++++-----
 app/models/favorite_group.rb                  |  4 ++++
 app/models/tag.rb                             | 12 ++++++++++++
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/app/controllers/favorite_groups_controller.rb b/app/controllers/favorite_groups_controller.rb
index 21b4afc0b..e56958e51 100644
--- a/app/controllers/favorite_groups_controller.rb
+++ b/app/controllers/favorite_groups_controller.rb
@@ -13,6 +13,7 @@ class FavoriteGroupsController < ApplicationController
 
   def show
     @favorite_group = FavoriteGroup.find(params[:id])
+    check_read_privilege(@favorite_group)
     @post_set = PostSets::FavoriteGroup.new(@favorite_group, params[:page])
     respond_with(@favorite_group)
   end
@@ -37,13 +38,13 @@ class FavoriteGroupsController < ApplicationController
 
   def edit
     @favorite_group = FavoriteGroup.find(params[:id])
-    check_privilege(@favorite_group)
+    check_write_privilege(@favorite_group)
     respond_with(@favorite_group)
   end
 
   def update
     @favorite_group = FavoriteGroup.find(params[:id])
-    check_privilege(@favorite_group)
+    check_write_privilege(@favorite_group)
     @favorite_group.update_attributes(params[:favorite_group])
     unless @favorite_group.errors.any?
       flash[:notice] = "Favorite group updated"
@@ -53,7 +54,7 @@ class FavoriteGroupsController < ApplicationController
 
   def destroy
     @favorite_group = FavoriteGroup.find(params[:id])
-    check_privilege(@favorite_group)
+    check_write_privilege(@favorite_group)
     @favorite_group.destroy
     flash[:notice] = "Favorite group deleted"
     redirect_to favorite_groups_path
@@ -61,13 +62,17 @@ class FavoriteGroupsController < ApplicationController
 
   def add_post
     @favorite_group = FavoriteGroup.find(params[:id])
-    check_privilege(@favorite_group)
+    check_write_privilege(@favorite_group)
     @post = Post.find(params[:post_id])
     @favorite_group.add!(@post.id)
   end
 
 private
-  def check_privilege(favgroup)
+  def check_write_privilege(favgroup)
     raise User::PrivilegeError unless favgroup.editable_by?(CurrentUser.user)
   end
+
+  def check_read_privilege(favgroup)
+    raise User::PrivilegeError unless favgroup.viewable_by?(CurrentUser.user)
+  end
 end
diff --git a/app/models/favorite_group.rb b/app/models/favorite_group.rb
index f6047e9e2..e547ec871 100644
--- a/app/models/favorite_group.rb
+++ b/app/models/favorite_group.rb
@@ -237,4 +237,8 @@ class FavoriteGroup < ApplicationRecord
   def editable_by?(user)
     creator_id == user.id
   end
+
+  def viewable_by?(user)
+    creator_id == user.id || !creator.hide_favorites?
+  end
 end
diff --git a/app/models/tag.rb b/app/models/tag.rb
index 9e1c8cb4d..0cae27734 100644
--- a/app/models/tag.rb
+++ b/app/models/tag.rb
@@ -608,11 +608,23 @@ class Tag < ApplicationRecord
 
           when "-favgroup"
             favgroup_id = FavoriteGroup.name_to_id(g2)
+            favgroup = FavoriteGroup.find(favgroup_id)
+
+            if !favgroup.viewable_by?(CurrentUser.user)
+              raise User::PrivilegeError.new
+            end
+
             q[:favgroups_neg] ||= []
             q[:favgroups_neg] << favgroup_id
 
           when "favgroup"
             favgroup_id = FavoriteGroup.name_to_id(g2)
+            favgroup = FavoriteGroup.find(favgroup_id)
+
+            if !favgroup.viewable_by?(CurrentUser.user)
+              raise User::PrivilegeError.new
+            end
+
             q[:favgroups] ||= []
             q[:favgroups] << favgroup_id