Don't show hidden notes to non-moderators in the user notes list

Fixes #921

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index ea32441f2f5db86aa4ff7780cf0b629dcd9f4538..2973a26c27e187802d15f9a074ee4655f083c161 100644 (file)
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -283,7 +283,9 @@ class NotesController < ApplicationController
         @description = t "note.mine.subheading", :user => render_to_string(:partial => "user", :object => @this_user)
         @page = (params[:page] || 1).to_i
         @page_size = 10
-        @notes = @this_user.notes.order("updated_at DESC, id").uniq.offset((@page - 1) * @page_size).limit(@page_size).preload(:comments => :author).to_a
+        @notes = @this_user.notes
+        @notes = @notes.visible unless @user && @user.moderator?
+        @notes = @notes.order("updated_at DESC, id").uniq.offset((@page - 1) * @page_size).limit(@page_size).preload(:comments => :author).to_a
       else
         @title = t "user.no_such_user.title"
         @not_found_user = params[:display_name]

diff --git a/test/controllers/notes_controller_test.rb b/test/controllers/notes_controller_test.rb
index 9439ba676b3d18f1cf670150bcc221c2e83b9c97..5cdcbb31df6dca84a0e6a1607074c6d61e9cb0f5 100644 (file)
--- a/test/controllers/notes_controller_test.rb
+++ b/test/controllers/notes_controller_test.rb
@@ -872,9 +872,24 @@ class NotesControllerTest < ActionController::TestCase
   def test_mine_success
     get :mine, :display_name => "test"
     assert_response :success
+    assert_select "table.note_list tr", :count => 2
 
     get :mine, :display_name => "pulibc_test2"
     assert_response :success
+    assert_select "table.note_list tr", :count => 3
+
+    get :mine, :display_name => "non-existent"
+    assert_response :not_found
+
+    session[:user] = users(:moderator_user).id
+
+    get :mine, :display_name => "test"
+    assert_response :success
+    assert_select "table.note_list tr", :count => 2
+
+    get :mine, :display_name => "pulibc_test2"
+    assert_response :success
+    assert_select "table.note_list tr", :count => 4
 
     get :mine, :display_name => "non-existent"
     assert_response :not_found

diff --git a/test/fixtures/note_comments.yml b/test/fixtures/note_comments.yml
index bf9f9a4bf89ea0979c0c7a4688a0a6311ca8c85f..c3c568c25ed6f8202756e95981626a1aeb33fe74 100644 (file)
--- a/test/fixtures/note_comments.yml
+++ b/test/fixtures/note_comments.yml
@@ -113,3 +113,12 @@ t13:
   event: closed
   created_at: 2007-03-01 00:00:00
   author_id: 4
+
+t14:
+  id: 14
+  note_id: 8
+  visible: true
+  event: commented
+  created_at: 2007-02-01 00:00:00
+  author_id: 4
+  body: 'A comment description'

diff --git a/test/fixtures/notes.yml b/test/fixtures/notes.yml
index ffecba869f72fe63c74bed652f978cdfa94b8b7d..79e488f1fa598b50a70f74aed766cb4f8e49b827 100644 (file)
--- a/test/fixtures/notes.yml
+++ b/test/fixtures/notes.yml
@@ -65,3 +65,49 @@ note_closed_by_user:
   created_at: 2007-01-01 00:00:00
   updated_at: 2007-03-01 00:00:00
   closed_at:  2007-03-01 00:00:00
+
+hidden_note_with_comment:
+  id: 4
+  latitude: <%= 1.3*SCALE %>
+  longitude: <%= 1.3*SCALE %>
+  status: hidden
+  tile: <%= QuadTile.tile_for_point(1.3,1.3) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00
+
+note_with_hidden_comment:
+  id: 5
+  latitude: <%= 1.4*SCALE %>
+  longitude: <%= 1.4*SCALE %>
+  status: open
+  tile: <%= QuadTile.tile_for_point(1.4,1.4) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00
+
+note_with_comments_by_users:
+  id: 6
+  latitude: <%= 1.5*SCALE %>
+  longitude: <%= 1.5*SCALE %>
+  status: open
+  tile: <%= QuadTile.tile_for_point(1.5,1.5) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00
+
+note_closed_by_user:
+  id: 7
+  latitude: <%= 1.6*SCALE %>
+  longitude: <%= 1.6*SCALE %>
+  status: closed
+  tile: <%= QuadTile.tile_for_point(1.6,1.6) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00
+  closed_at:  2007-03-01 00:00:00
+
+hidden_note_with_comment_by_user:
+  id: 8
+  latitude: <%= 1.3*SCALE %>
+  longitude: <%= 1.3*SCALE %>
+  status: hidden
+  tile: <%= QuadTile.tile_for_point(1.3,1.3) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00