From 26f25fc0d98c19c7f2742ec2973d236442acb960 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Hanol?= Date: Mon, 30 May 2016 19:48:46 +0200 Subject: [PATCH] FIX: most liked queries were leaking info in user summaries --- app/models/topic.rb | 2 +- app/models/user_summary.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/models/topic.rb b/app/models/topic.rb index 5694d3c0c0..6a568f549b 100644 --- a/app/models/topic.rb +++ b/app/models/topic.rb @@ -129,7 +129,7 @@ class Topic < ActiveRecord::Base # Return private message topics scope :private_messages, -> { where(archetype: Archetype.private_message) } - scope :listable_topics, -> { where('topics.archetype <> ?', [Archetype.private_message]) } + scope :listable_topics, -> { where('topics.archetype <> ?', Archetype.private_message) } scope :by_newest, -> { order('topics.created_at desc, topics.id desc') } diff --git a/app/models/user_summary.rb b/app/models/user_summary.rb index dd14be6e29..abfc9b8f51 100644 --- a/app/models/user_summary.rb +++ b/app/models/user_summary.rb @@ -53,7 +53,7 @@ class UserSummary def most_liked_by_users likers = {} UserAction.joins(:target_topic, :target_post) - .where('topics.archetype <> ?', Archetype.private_message) + .merge(Topic.listable_topics.visible.secured(@guardian)) .where(user: @user) .where(action_type: UserAction::WAS_LIKED) .group(:acting_user_id) @@ -78,7 +78,7 @@ class UserSummary def most_liked_users liked_users = {} UserAction.joins(:target_topic, :target_post) - .where('topics.archetype <> ?', Archetype.private_message) + .merge(Topic.listable_topics.visible.secured(@guardian)) .where(action_type: UserAction::WAS_LIKED) .where(acting_user_id: @user.id) .group(:user_id)