From b9f9d9df8887c181828f37867c16bc3e83a6fa59 Mon Sep 17 00:00:00 2001
From: Frederik Ramm <frederik@remote.org>
Date: Sun, 22 Jul 2018 15:42:14 +0200
Subject: [PATCH] allow moderators to read hidden notes through API

---
 app/controllers/notes_controller.rb       | 4 ++--
 test/controllers/notes_controller_test.rb | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index 853072b7b..9d156ea1d 100644
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -4,7 +4,7 @@ class NotesController < ApplicationController
   skip_before_action :verify_authenticity_token, :except => [:mine]
   before_action :check_api_readable
   before_action :authorize_web, :only => [:mine]
-  before_action :setup_user_auth, :only => [:create, :comment]
+  before_action :setup_user_auth, :only => [:create, :comment, :show]
   before_action :authorize, :only => [:close, :reopen, :destroy]
   before_action :require_moderator, :only => [:destroy]
   before_action :check_api_writable, :only => [:create, :comment, :close, :reopen, :destroy]
@@ -211,7 +211,7 @@ class NotesController < ApplicationController
     # Find the note and check it is valid
     @note = Note.find(params[:id])
     raise OSM::APINotFoundError unless @note
-    raise OSM::APIAlreadyDeletedError.new("note", @note.id) unless @note.visible?
+    raise OSM::APIAlreadyDeletedError.new("note", @note.id) unless @note.visible? || (current_user && current_user.moderator?)
 
     # Render the result
     respond_to do |format|
diff --git a/test/controllers/notes_controller_test.rb b/test/controllers/notes_controller_test.rb
index 4444a2f50..1ebce60b5 100644
--- a/test/controllers/notes_controller_test.rb
+++ b/test/controllers/notes_controller_test.rb
@@ -625,6 +625,10 @@ class NotesControllerTest < ActionController::TestCase
     assert_equal "This is a hide comment", js["properties"]["comments"].last["text"]
     assert_equal moderator_user.display_name, js["properties"]["comments"].last["user"]
 
+    get :show, :params => { :id => open_note_with_comment.id, :format => "json" }
+    assert_response :success
+
+    basic_authorization user.email, "test"
     get :show, :params => { :id => open_note_with_comment.id, :format => "json" }
     assert_response :gone
   end
-- 
2.43.2