fix: #9484 show user history only to admins and gmods

3 years ago · bc7707aa88
parent 20e76699a2
commit bc7707aa88
4 changed files with 66 additions and 5 deletions
--- a/public/openapi/components/schemas/FlagObject.yaml
+++ b/public/openapi/components/schemas/FlagObject.yaml
@ -76,6 +76,7 @@ FlagHistoryObject:
  properties:
    history:
      type: array
+      nullable: true
      items:
        type: object
        properties:
--- a/src/controllers/mods.js
+++ b/src/controllers/mods.js
@ -117,6 +117,8 @@ modsController.flags.detail = async function (req, res, next) {
 		return next(); // 404
 	}

+	results.flagData.history = results.isAdminOrGlobalMod ? (await flags.getHistory(req.params.flagId)) : null;
+
 	if (results.flagData.type === 'user') {
 		results.flagData.type_path = 'uid';
 	} else if (results.flagData.type === 'post') {
--- a/src/flags.js
+++ b/src/flags.js
@ -93,9 +93,8 @@ Flags.init = async function () {
 };

 Flags.get = async function (flagId) {
-	const [base, history, notes, reports] = await Promise.all([
+	const [base, notes, reports] = await Promise.all([
 		db.getObject(`flag:${flagId}`),
-		Flags.getHistory(flagId),
 		Flags.getNotes(flagId),
 		Flags.getReports(flagId),
 	]);
@ -109,9 +108,8 @@ Flags.get = async function (flagId) {
 		datetimeISO: utils.toISOString(base.datetime),
 		target_readable: `${base.type.charAt(0).toUpperCase() + base.type.slice(1)} ${base.targetId}`,
 		target: await Flags.getTarget(base.type, base.targetId, 0),
-		history: history,
-		notes: notes,
-		reports: reports,
+		notes,
+		reports,
 	};

 	const data = await plugins.hooks.fire('filter:flags.get', {
--- a/test/flags.js
+++ b/test/flags.js
@ -24,6 +24,9 @@ describe('Flags', () => {
 	let uid1;
 	let adminUid;
 	let uid3;
+	let moderatorUid;
+	let jar;
+	let csrfToken;
 	let category;
 	before(async () => {
 		// Create some stuff to flag
@ -45,6 +48,15 @@ describe('Flags', () => {
 		uid3 = await User.create({
 			username: 'unprivileged', password: 'abcdef', email: 'd@e.com',
 		});
+
+		moderatorUid = await User.create({
+			username: 'moderator', password: 'abcdef',
+		});
+		await Privileges.categories.give(['moderate'], category.cid, [moderatorUid]);
+
+		const login = await helpers.loginUser('moderator', 'abcdef');
+		jar = login.jar;
+		csrfToken = login.csrf_token;
 	});

 	describe('.create()', () => {
@ -141,6 +153,54 @@ describe('Flags', () => {
 				done();
 			});
 		});
+
+		it('should show user history for admins', async () => {
+			await Groups.join('administrators', moderatorUid);
+			const flagData = await request({
+				uri: `${nconf.get('url')}/api/flags/1`,
+				jar,
+				headers: {
+					'x-csrf-token': csrfToken,
+				},
+				json: true,
+			});
+
+			assert(flagData.history);
+			assert(Array.isArray(flagData.history));
+
+			await Groups.leave('administrators', moderatorUid);
+		});
+
+		it('should show user history for global moderators', async () => {
+			await Groups.join('Global Moderators', moderatorUid);
+			const flagData = await request({
+				uri: `${nconf.get('url')}/api/flags/1`,
+				jar,
+				headers: {
+					'x-csrf-token': csrfToken,
+				},
+				json: true,
+			});
+
+			assert(flagData.history);
+			assert(Array.isArray(flagData.history));
+
+			await Groups.leave('Global Moderators', moderatorUid);
+		});
+
+		it('should NOT show user history for regular moderators', async () => {
+			const flagData = await request({
+				uri: `${nconf.get('url')}/api/flags/1`,
+				jar,
+				headers: {
+					'x-csrf-token': csrfToken,
+				},
+				json: true,
+			});
+
+			assert(flagData.hasOwnProperty('history'));
+			assert(flagData.history === null);
+		});
 	});

 	describe('.list()', () => {