From 6027c42ee7b5ac6b36e8a62135d2cf67b3ca8250 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 4 Sep 2018 22:22:13 +0100
Subject: [PATCH 1/1] Hide note comments made by deleted users

Fixes #1970
---
 app/controllers/notes_controller.rb        |  8 +++++---
 app/models/note.rb                         |  6 +++---
 test/controllers/browse_controller_test.rb | 15 +++++++++++++++
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index 9d156ea1d..94d0fdb55 100644
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -328,11 +328,13 @@ class NotesController < ApplicationController
                    end
 
     if closed_since < 0
-      notes.where("status != 'hidden'")
+      notes.where.not(:status => "hidden")
     elsif closed_since > 0
-      notes.where("(status = 'open' OR (status = 'closed' AND closed_at > '#{Time.now - closed_since.days}'))")
+      notes.where(:status => "open")
+           .or(notes.where(:status => "closed")
+                    .where(notes.arel_table[:closed_at].gt(Time.now - closed_since.days)))
     else
-      notes.where("status = 'open'")
+      notes.where(:status => "open")
     end
   end
 
diff --git a/app/models/note.rb b/app/models/note.rb
index b7f6928b8..d96addbe7 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -21,7 +21,7 @@
 class Note < ActiveRecord::Base
   include GeoRecord
 
-  has_many :comments, -> { where(:visible => true).order(:created_at) }, :class_name => "NoteComment", :foreign_key => :note_id
+  has_many :comments, -> { left_joins(:author).where(:visible => true, :users => { :status => [nil, "active", "confirmed"] }).order(:created_at) }, :class_name => "NoteComment", :foreign_key => :note_id
 
   validates :id, :uniqueness => true, :presence => { :on => :update },
                  :numericality => { :on => :update, :integer_only => true }
@@ -31,8 +31,8 @@ class Note < ActiveRecord::Base
 
   validate :validate_position
 
-  scope :visible, -> { where("status != 'hidden'") }
-  scope :invisible, -> { where("status = 'hidden'") }
+  scope :visible, -> { where.not(:status => "hidden") }
+  scope :invisible, -> { where(:status => "hidden") }
 
   after_initialize :set_defaults
 
diff --git a/test/controllers/browse_controller_test.rb b/test/controllers/browse_controller_test.rb
index 68345c6b6..230a74cb6 100644
--- a/test/controllers/browse_controller_test.rb
+++ b/test/controllers/browse_controller_test.rb
@@ -126,6 +126,21 @@ class BrowseControllerTest < ActionController::TestCase
     assert_select "div.note-comments ul li", :count => 2
   end
 
+  def test_read_note_hidden_user_comment
+    hidden_user = create(:user, :status => "deleted")
+    note_with_hidden_user_comment = create(:note_with_comments, :comments_count => 2) do |note|
+      create(:note_comment, :note => note, :author => hidden_user)
+    end
+
+    browse_check "note", note_with_hidden_user_comment.id, "browse/note"
+    assert_select "div.note-comments ul li", :count => 1
+
+    session[:user] = create(:moderator_user).id
+
+    browse_check "note", note_with_hidden_user_comment.id, "browse/note"
+    assert_select "div.note-comments ul li", :count => 1
+  end
+
   ##
   #  Methods to check redaction.
   #
-- 
2.43.2