From caa1a0128a057bf7358cf60926e0c243113b5a50 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 12 Aug 2015 17:20:30 +0100
Subject: [PATCH] Hide hidden notes and comments correctly in the data browser

---
 app/controllers/browse_controller.rb       |  9 +++++++-
 app/views/browse/note.html.erb             | 10 ++++-----
 test/controllers/browse_controller_test.rb | 26 ++++++++++++++++++++++
 3 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/app/controllers/browse_controller.rb b/app/controllers/browse_controller.rb
index c7f8b0e81..0ac45b926 100644
--- a/app/controllers/browse_controller.rb
+++ b/app/controllers/browse_controller.rb
@@ -76,7 +76,14 @@ class BrowseController < ApplicationController
 
   def note
     @type = "note"
-    @note = Note.find(params[:id])
+
+    if @user && @user.moderator?
+      @note = Note.find(params[:id])
+      @note_comments = @note.comments.unscope(:where => :visible)
+    else
+      @note = Note.visible.find(params[:id])
+      @note_comments = @note.comments
+    end
   rescue ActiveRecord::RecordNotFound
     render :action => "not_found", :status => :not_found
   end
diff --git a/app/views/browse/note.html.erb b/app/views/browse/note.html.erb
index fa6f75ff9..1bacd27d6 100644
--- a/app/views/browse/note.html.erb
+++ b/app/views/browse/note.html.erb
@@ -8,25 +8,25 @@
 <div class="browse-section">
   <h4><%= t('browse.note.description') %></h4>
   <div class="note-description">
-    <%= h(@note.comments.first.body.to_html) %>
+    <%= h(@note_comments.first.body.to_html) %>
   </div>
 
   <div class="details" data-coordinates="<%= @note.lat %>,<%= @note.lon %>" data-status="<%= @note.status %>">
     <%= note_event('open', @note.created_at, @note.author) %>
     <% if @note.status == "closed" %>
       <br/>
-      <%= note_event(@note.status, @note.closed_at, @note.comments.last.author) %>
+      <%= note_event(@note.status, @note.closed_at, @note_comments.last.author) %>
     <% end %>
   </div>
 
-  <% if @note.comments.find { |comment| comment.author.nil? } -%>
+  <% if @note_comments.find { |comment| comment.author.nil? } -%>
     <p class='warning'><%= t "javascripts.notes.show.anonymous_warning" %></p>
   <% end -%>
 
-  <% if @note.comments.length > 1 %>
+  <% if @note_comments.length > 1 %>
     <div class='note-comments'>
       <ul>
-        <% @note.comments[1..-1].each do |comment| %>
+        <% @note_comments[1..-1].each do |comment| %>
           <li id="c<%= comment.id %>">
             <small class='deemphasize'><%= note_event(comment.event, comment.created_at, comment.author) %></small>
             <%= comment.body.to_html %>
diff --git a/test/controllers/browse_controller_test.rb b/test/controllers/browse_controller_test.rb
index a1c94b457..d0cbeb796 100644
--- a/test/controllers/browse_controller_test.rb
+++ b/test/controllers/browse_controller_test.rb
@@ -88,6 +88,32 @@ class BrowseControllerTest < ActionController::TestCase
     browse_check "note", notes(:open_note).id, "browse/note"
   end
 
+  def test_read_hidden_note
+    get :note, :id => notes(:hidden_note_with_comment).id
+    assert_response :not_found
+    assert_template "browse/not_found"
+    assert_template :layout => "map"
+
+    xhr :get, :note, :id => notes(:hidden_note_with_comment).id
+    assert_response :not_found
+    assert_template "browse/not_found"
+    assert_template :layout => "xhr"
+
+    session[:user] = users(:moderator_user).id
+
+    browse_check "note", notes(:hidden_note_with_comment).id, "browse/note"
+  end
+
+  def test_read_note_hidden_comments
+    browse_check "note", notes(:note_with_hidden_comment).id, "browse/note"
+    assert_select "div.note-comments ul li", :count => 1
+
+    session[:user] = users(:moderator_user).id
+
+    browse_check "note", notes(:note_with_hidden_comment).id, "browse/note"
+    assert_select "div.note-comments ul li", :count => 2
+  end
+
   ##
   #  Methods to check redaction.
   #
-- 
2.43.2