Merge remote-tracking branch 'AbhinavOhri/moderator'

metabrainz · Apr 6, 2022 · ca0b2a3 · ca0b2a3
2 parents deef11c + 05d9f82
commit ca0b2a3
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/critiquebrainz/frontend/views/review.py b/critiquebrainz/frontend/views/review.py
@@ -96,11 +96,18 @@ def entity(id, rev=None):
     if review["is_draft"] and not (current_user.is_authenticated and
                                    current_user == review["user"]):
         raise NotFound(gettext("Can't find a review with the specified ID."))
+
     if review["is_hidden"]:
-        if not current_user.is_admin():
+        # show review to admin users with a warning that it is hidden
+        if current_user.is_admin():
+            flash.warn(gettext("Review has been hidden."))
+        elif current_user.is_authenticated and current_user == review["user"]:
+            # show to the author of the review that it was hidden but not the actual review
             raise Forbidden(gettext("Review has been hidden. "
                                     "You need to be an administrator to view it."))
-        flash.warn(gettext("Review has been hidden."))
+        else:
+            # for all other users, return a 404 as if the review didn't exist
+            raise NotFound(gettext("Can't find a review with ID: %(review_id)s!", review_id=id))
 
     spotify_mappings = None
     soundcloud_url = None
@@ -520,7 +527,6 @@ def hide(id):
         review_reports, count = db_spam_report.list_reports(review_id=review["id"])  # pylint: disable=unused-variable
         for report in review_reports:
             db_spam_report.archive(report["user_id"], report["revision_id"])
-        flash.success(gettext("Review has been hidden."))
         return redirect(url_for('.entity', id=review["id"]))
 
     return render_template('log/action.html', review=review, form=form, action=AdminActions.ACTION_HIDE_REVIEW.value)

diff --git a/critiquebrainz/frontend/views/test/test_review.py b/critiquebrainz/frontend/views/test/test_review.py
@@ -277,6 +277,30 @@ def test_hide_unhide(self, is_user_admin):
         review = db_review.get_by_id(review["id"])
         self.assertEqual(review["is_hidden"], True)
 
+        # check that on opening the review directly hidden message is flashed
+        response = self.client.get("/review/{}".format(review["id"]))
+        self.assert200(response)
+        self.assertIn("Review has been hidden.", str(response.data))
+
+        # make self.hacker as current user
+        self.temporary_login(self.hacker)
+        is_user_admin.return_value = False
+
+        # check that hidden review is not visible to other non-admin users
+        response = self.client.get("/review/{}".format(review["id"]))
+        self.assert404(response)
+
+        # make self.user as current user
+        self.temporary_login(self.user)
+
+        # check that error is shown to the user if they try to view their hidden reviews
+        response = self.client.get("/review/{}".format(review["id"]))
+        self.assert403(response)
+        self.assertIn("Review has been hidden.", str(response.data))
+
+        self.temporary_login(self.hacker)
+        is_user_admin.return_value = True
+
         # hiding already hidden review flashes message
         response = self.client.post(
             "review/{}/hide".format(review["id"]),