From 7e11e1a76878ff9f23105824735a80b97e5fd07a Mon Sep 17 00:00:00 2001
From: Benjamin Schaaf <ben.schaaf@gmail.com>
Date: Wed, 28 Aug 2024 01:00:13 +1000
Subject: [PATCH] Revert a change from 939039d51655cd05cc1fadaaec7ea910c804e351

---
 Gemfile                                       |  3 ++
 Gemfile.lock                                  |  5 ++
 lib/auth/permissions.rb                       |  6 +--
 .../forums/topics_controller_spec.rb          | 50 +++++++++++++++++++
 4 files changed, 59 insertions(+), 5 deletions(-)

diff --git a/Gemfile b/Gemfile
index 70b59d3a..2eef1b3d 100644
--- a/Gemfile
+++ b/Gemfile
@@ -58,6 +58,9 @@ group :test do
   # Use rspec for tests
   gem 'rspec-rails', '~> 6'
 
+  # Extra functionality for rspec-rails
+  gem 'rails-controller-testing'
+
   # Parallelize tests
   gem 'parallel_tests'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 8f2163d8..a47cd9c3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -341,6 +341,10 @@ GEM
       activesupport (= 7.1.3.3)
       bundler (>= 1.15.0)
       railties (= 7.1.3.3)
+    rails-controller-testing (1.0.5)
+      actionpack (>= 5.0.1.rc1)
+      actionview (>= 5.0.1.rc1)
+      activesupport (>= 5.0.1.rc1)
     rails-dom-testing (2.2.0)
       activesupport (>= 5.0.0)
       minitest
@@ -527,6 +531,7 @@ DEPENDENCIES
   parallel_tests
   pg (~> 1.0)
   rails (~> 7.1.0)
+  rails-controller-testing
   rails_best_practices
   rake (~> 12.0)
   redcarpet
diff --git a/lib/auth/permissions.rb b/lib/auth/permissions.rb
index ce7a066c..c995abea 100644
--- a/lib/auth/permissions.rb
+++ b/lib/auth/permissions.rb
@@ -55,11 +55,7 @@ def instance_map
     end
 
     def get_actions_relation(action_model, subject)
-      if subject.is_a? ActiveRecord::Base
-        action_model.where(actor_name => @instances, action_model.subject => subject.id)
-      else
-        action_model.where(actor_name => @instances)
-      end
+      action_model.where(actor_name => @instances).for(subject)
     end
   end
 end
diff --git a/spec/controllers/forums/topics_controller_spec.rb b/spec/controllers/forums/topics_controller_spec.rb
index d8d586ae..b1d86c1a 100644
--- a/spec/controllers/forums/topics_controller_spec.rb
+++ b/spec/controllers/forums/topics_controller_spec.rb
@@ -131,6 +131,56 @@
           expect(response).to redirect_to(forums_path)
         end
       end
+
+      context 'hidden thread' do
+        let(:user2) { create(:user) }
+
+        let!(:hidden_thread) do
+          create(:forums_thread, topic: topic, title: 'Hidden Title', hidden: true, created_by: user2)
+        end
+        let!(:visible_thread) { create(:forums_thread, topic: topic, title: 'Visible Title') }
+
+        it 'is visible for managing user' do
+          user.grant(:manage, topic)
+          sign_in user
+
+          get :show, params: { id: topic.id }
+
+          expect(assigns(:threads)).to contain_exactly(hidden_thread, visible_thread)
+        end
+
+        it 'is visible for creating user' do
+          sign_in user2
+
+          get :show, params: { id: topic.id }
+
+          expect(assigns(:threads)).to contain_exactly(hidden_thread, visible_thread)
+        end
+
+        it 'is hidden for user with permissions to other topic' do
+          topic2 = create(:forums_topic)
+          user.grant(:manage, topic2)
+          sign_in user
+
+          get :show, params: { id: topic.id }
+
+          expect(assigns(:threads)).to eq([visible_thread])
+        end
+
+        it 'is hidden for other user' do
+          sign_in user
+
+          get :show, params: { id: topic.id }
+
+          expect(assigns(:threads)).to eq([visible_thread])
+        end
+
+        it 'is hidden for unauthenticated user' do
+          get :show, params: { id: topic.id }
+
+          expect(assigns(:threads)).to eq([visible_thread])
+        end
+      end
     end
 
     describe 'PATCH #toggle_subscription' do