fix: prevent users from seeing their own flags (#4167)

SychO9 · web-flow · commit cf7ef489065c · 2025-01-31T09:12:12.000+01:00
diff --git a/extensions/flags/src/Access/ScopeFlagVisibility.php b/extensions/flags/src/Access/ScopeFlagVisibility.php
@@ -37,10 +37,8 @@ public function __invoke(User $actor, Builder $query): void
                     if ($actor->hasPermission('discussion.viewFlags')) {
                         $query->orWhereDoesntHave('post.discussion.tags');
                     }
-                }
-
-                if (! $actor->hasPermission('discussion.viewFlags')) {
-                    $query->orWhere('flags.user_id', $actor->id);
+                } elseif (! $actor->hasPermission('discussion.viewFlags')) {
+                    $query->whereRaw('1 = 0');
                 }
             });
     }
diff --git a/extensions/flags/tests/integration/api/flags/ListTest.php b/extensions/flags/tests/integration/api/flags/ListTest.php
@@ -96,7 +96,7 @@ public function admin_can_see_one_flag_per_visible_post()
     }
 
     #[Test]
-    public function regular_user_sees_own_flags_of_visible_posts()
+    public function regular_user_does_not_see_own_flags_of_visible_posts()
     {
         $response = $this->send(
             $this->request('GET', '/api/flags', [
@@ -109,7 +109,7 @@ public function regular_user_sees_own_flags_of_visible_posts()
         $data = json_decode($response->getBody()->getContents(), true)['data'];
 
         $ids = Arr::pluck($data, 'id');
-        $this->assertEqualsCanonicalizing(['2', '4'], $ids);
+        $this->assertEqualsCanonicalizing([], $ids);
     }
 
     #[Test]
diff --git a/extensions/flags/tests/integration/api/flags/ListWithTagsTest.php b/extensions/flags/tests/integration/api/flags/ListWithTagsTest.php
@@ -122,7 +122,7 @@ public function admin_can_see_one_flag_per_post()
     }
 
     #[Test]
-    public function regular_user_sees_own_flags()
+    public function regular_user_does_not_see_own_flags()
     {
         $response = $this->send(
             $this->request('GET', '/api/flags', [
@@ -135,7 +135,7 @@ public function regular_user_sees_own_flags()
         $data = json_decode($response->getBody()->getContents(), true)['data'];
 
         $ids = Arr::pluck($data, 'id');
-        $this->assertEqualsCanonicalizing(['2', '4'], $ids);
+        $this->assertEqualsCanonicalizing([], $ids);
     }
 
     #[Test]
diff --git a/extensions/flags/tests/integration/api/posts/IncludeFlagsVisibilityTest.php b/extensions/flags/tests/integration/api/posts/IncludeFlagsVisibilityTest.php
@@ -144,7 +144,7 @@ public static function listFlagsIncludesDataProvider(): array
             'user_with_general_permission_sees_where_unrestricted_tag' => [2, [6, 7, 8]],
             'user_with_tag1_permission_sees_tag1_flags' => [3, [1, 2, 3, 4, 5]],
             'normal_user_sees_none' => [4, []],
-            'normal_user_sees_own' => [5, [2, 7, 4, 8]],
+            'normal_user_does_not_see_own' => [5, []],
         ];
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -37,10 +37,8 @@ public function __invoke(User $actor, Builder $query): void`
`37`	`37`	`if ($actor->hasPermission('discussion.viewFlags')) {`
`38`	`38`	`$query->orWhereDoesntHave('post.discussion.tags');`
`39`	`39`	`}`
`40`		`- }`
`41`		`-`
`42`		`- if (! $actor->hasPermission('discussion.viewFlags')) {`
`43`		`- $query->orWhere('flags.user_id', $actor->id);`
	`40`	`+ } elseif (! $actor->hasPermission('discussion.viewFlags')) {`
	`41`	`+ $query->whereRaw('1 = 0');`
`44`	`42`	`}`
`45`	`43`	`});`
`46`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ public function admin_can_see_one_flag_per_visible_post()`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`#[Test]`
`99`		`- public function regular_user_sees_own_flags_of_visible_posts()`
	`99`	`+ public function regular_user_does_not_see_own_flags_of_visible_posts()`
`100`	`100`	`{`
`101`	`101`	`$response = $this->send(`
`102`	`102`	`$this->request('GET', '/api/flags', [`
`@@ -109,7 +109,7 @@ public function regular_user_sees_own_flags_of_visible_posts()`
`109`	`109`	`$data = json_decode($response->getBody()->getContents(), true)['data'];`
`110`	`110`
`111`	`111`	`$ids = Arr::pluck($data, 'id');`
`112`		`- $this->assertEqualsCanonicalizing(['2', '4'], $ids);`
	`112`	`+ $this->assertEqualsCanonicalizing([], $ids);`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`#[Test]`
Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ public function admin_can_see_one_flag_per_post()`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`#[Test]`
`125`		`- public function regular_user_sees_own_flags()`
	`125`	`+ public function regular_user_does_not_see_own_flags()`
`126`	`126`	`{`
`127`	`127`	`$response = $this->send(`
`128`	`128`	`$this->request('GET', '/api/flags', [`
`@@ -135,7 +135,7 @@ public function regular_user_sees_own_flags()`
`135`	`135`	`$data = json_decode($response->getBody()->getContents(), true)['data'];`
`136`	`136`
`137`	`137`	`$ids = Arr::pluck($data, 'id');`
`138`		`- $this->assertEqualsCanonicalizing(['2', '4'], $ids);`
	`138`	`+ $this->assertEqualsCanonicalizing([], $ids);`
`139`	`139`	`}`
`140`	`140`
`141`	`141`	`#[Test]`
Original file line number	Diff line number	Diff line change
`@@ -144,7 +144,7 @@ public static function listFlagsIncludesDataProvider(): array`
`144`	`144`	`'user_with_general_permission_sees_where_unrestricted_tag' => [2, [6, 7, 8]],`
`145`	`145`	`'user_with_tag1_permission_sees_tag1_flags' => [3, [1, 2, 3, 4, 5]],`
`146`	`146`	`'normal_user_sees_none' => [4, []],`
`147`		`- 'normal_user_sees_own' => [5, [2, 7, 4, 8]],`
	`147`	`+ 'normal_user_does_not_see_own' => [5, []],`
`148`	`148`	`];`
`149`	`149`	`}`
`150`	`150`	`}`