SECURITY: Unread post notifications should respect whispers

eviltrout · eviltrout · commit c72f0160dee0 · 2015-10-19T16:32:55.000-04:00
diff --git a/app/services/post_alerter.rb b/app/services/post_alerter.rb
@@ -51,7 +51,8 @@ def after_save_post(post)
   end
 
   def unread_posts(user, topic)
-    Post.where('post_number > COALESCE((
+    Post.secured(Guardian.new(user))
+        .where('post_number > COALESCE((
                SELECT last_read_post_number FROM topic_users tu
                WHERE tu.user_id = ? AND tu.topic_id = ? ),0)',
                 user.id, topic.id)
diff --git a/spec/services/post_alerter_spec.rb b/spec/services/post_alerter_spec.rb
@@ -9,6 +9,20 @@ def create_post_with_alerts(args={})
     PostAlerter.post_created(post)
   end
 
+  context "unread" do
+    it "does not return whispers as unread posts" do
+      op = Fabricate(:post)
+      whisper = Fabricate(:post, raw: 'this is a whisper post',
+                                 user: Fabricate(:admin),
+                                 topic: op.topic,
+                                 reply_to_post_number: op.post_number,
+                                 post_type: Post.types[:whisper])
+
+
+      expect(PostAlerter.new.first_unread_post(op.user, op.topic)).to be_blank
+    end
+  end
+
   context 'likes' do
     it 'does not double notify users on likes' do
       ActiveRecord::Base.observers.enable :all
