From 5dc3e5b48a740cd2fd47fced83a8bac0a86efdb4 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 12 Aug 2015 17:42:14 +0100 Subject: [PATCH] Don't show hidden notes to non-moderators in the user notes list Fixes #921 --- app/controllers/notes_controller.rb | 4 +- test/controllers/notes_controller_test.rb | 15 ++++++++ test/fixtures/note_comments.yml | 9 +++++ test/fixtures/notes.yml | 46 +++++++++++++++++++++++ 4 files changed, 73 insertions(+), 1 deletion(-) diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb index ea32441f2..2973a26c2 100644 --- a/app/controllers/notes_controller.rb +++ b/app/controllers/notes_controller.rb @@ -283,7 +283,9 @@ class NotesController < ApplicationController @description = t "note.mine.subheading", :user => render_to_string(:partial => "user", :object => @this_user) @page = (params[:page] || 1).to_i @page_size = 10 - @notes = @this_user.notes.order("updated_at DESC, id").uniq.offset((@page - 1) * @page_size).limit(@page_size).preload(:comments => :author).to_a + @notes = @this_user.notes + @notes = @notes.visible unless @user && @user.moderator? + @notes = @notes.order("updated_at DESC, id").uniq.offset((@page - 1) * @page_size).limit(@page_size).preload(:comments => :author).to_a else @title = t "user.no_such_user.title" @not_found_user = params[:display_name] diff --git a/test/controllers/notes_controller_test.rb b/test/controllers/notes_controller_test.rb index 9439ba676..5cdcbb31d 100644 --- a/test/controllers/notes_controller_test.rb +++ b/test/controllers/notes_controller_test.rb @@ -872,9 +872,24 @@ class NotesControllerTest < ActionController::TestCase def test_mine_success get :mine, :display_name => "test" assert_response :success + assert_select "table.note_list tr", :count => 2 get :mine, :display_name => "pulibc_test2" assert_response :success + assert_select "table.note_list tr", :count => 3 + + get :mine, :display_name => "non-existent" + assert_response :not_found + + session[:user] = users(:moderator_user).id + + get :mine, :display_name => "test" + assert_response :success + assert_select "table.note_list tr", :count => 2 + + get :mine, :display_name => "pulibc_test2" + assert_response :success + assert_select "table.note_list tr", :count => 4 get :mine, :display_name => "non-existent" assert_response :not_found diff --git a/test/fixtures/note_comments.yml b/test/fixtures/note_comments.yml index bf9f9a4bf..c3c568c25 100644 --- a/test/fixtures/note_comments.yml +++ b/test/fixtures/note_comments.yml @@ -113,3 +113,12 @@ t13: event: closed created_at: 2007-03-01 00:00:00 author_id: 4 + +t14: + id: 14 + note_id: 8 + visible: true + event: commented + created_at: 2007-02-01 00:00:00 + author_id: 4 + body: 'A comment description' diff --git a/test/fixtures/notes.yml b/test/fixtures/notes.yml index ffecba869..79e488f1f 100644 --- a/test/fixtures/notes.yml +++ b/test/fixtures/notes.yml @@ -65,3 +65,49 @@ note_closed_by_user: created_at: 2007-01-01 00:00:00 updated_at: 2007-03-01 00:00:00 closed_at: 2007-03-01 00:00:00 + +hidden_note_with_comment: + id: 4 + latitude: <%= 1.3*SCALE %> + longitude: <%= 1.3*SCALE %> + status: hidden + tile: <%= QuadTile.tile_for_point(1.3,1.3) %> + created_at: 2007-01-01 00:00:00 + updated_at: 2007-03-01 00:00:00 + +note_with_hidden_comment: + id: 5 + latitude: <%= 1.4*SCALE %> + longitude: <%= 1.4*SCALE %> + status: open + tile: <%= QuadTile.tile_for_point(1.4,1.4) %> + created_at: 2007-01-01 00:00:00 + updated_at: 2007-03-01 00:00:00 + +note_with_comments_by_users: + id: 6 + latitude: <%= 1.5*SCALE %> + longitude: <%= 1.5*SCALE %> + status: open + tile: <%= QuadTile.tile_for_point(1.5,1.5) %> + created_at: 2007-01-01 00:00:00 + updated_at: 2007-03-01 00:00:00 + +note_closed_by_user: + id: 7 + latitude: <%= 1.6*SCALE %> + longitude: <%= 1.6*SCALE %> + status: closed + tile: <%= QuadTile.tile_for_point(1.6,1.6) %> + created_at: 2007-01-01 00:00:00 + updated_at: 2007-03-01 00:00:00 + closed_at: 2007-03-01 00:00:00 + +hidden_note_with_comment_by_user: + id: 8 + latitude: <%= 1.3*SCALE %> + longitude: <%= 1.3*SCALE %> + status: hidden + tile: <%= QuadTile.tile_for_point(1.3,1.3) %> + created_at: 2007-01-01 00:00:00 + updated_at: 2007-03-01 00:00:00 -- 2.43.2