discourse

mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-06-19 04:54:30 +08:00

History

small-lovely-cat 94e38a8dc7 FIX: reactions shouldn't be visible to users without see_hidden_post permission if a post is hidden (#40216 ) The backend `/discourse-reactions/app/controllers/discourse_reactions/custom_reactions_controller.rb` uses `guardian.ensure_can_see!(post)` to restrict users without permission from loading the reactions when a post is hidden. However, the frontend still renders the reaction affordances. When a user without `see_hidden_post` permission clicks the reaction counter of a hidden post, there's an infinite loading state with a 403 forbidden on `/discourse-reactions/posts/xxx/reactions-users-list.json`. The reaction/like button has the same problem — toggling a reaction there hits the same 403 boundary. This adds a matching guard on the frontend, hiding both the reaction counter and the reaction button when `post.hidden && !post.can_see_hidden_post`. The check is extracted into a shared helper used by both entry points, and the button keeps its `shouldRender` in sync with the core like button's decision so it still behaves correctly in the cases it replaces (e.g. deleted posts). Before: <img width="1918" height="917" alt="image" src="https://github.com/user-attachments/assets/cf5ed458-b9ab-4365-a9ea-43d2a4737df8" /> <img width="1917" height="922" alt="image" src="https://github.com/user-attachments/assets/87c39f7f-5b8b-4555-a877-fe74714e16ca" /> After: <img width="1918" height="921" alt="image" src="https://github.com/user-attachments/assets/ed6765b6-091a-45b0-af1b-a5b749d08fe1" /> --------- Co-authored-by: awesomerobot <kris.aubuchon@discourse.org>	2026-06-08 11:29:35 -04:00
..
acceptance	FIX: reactions shouldn't be visible to users without see_hidden_post permission if a post is hidden (#40216 )	2026-06-08 11:29:35 -04:00
fixtures

small-lovely-cat 94e38a8dc7

FIX: reactions shouldn't be visible to users without see_hidden_post permission if a post is hidden (#40216 )

The backend
`/discourse-reactions/app/controllers/discourse_reactions/custom_reactions_controller.rb`
uses `guardian.ensure_can_see!(post)` to restrict users without
permission from loading the reactions when a post is hidden.

However, the frontend still renders the reaction affordances. When a
user without `see_hidden_post` permission clicks the reaction counter of
a hidden post, there's an infinite loading state with a 403 forbidden on
`/discourse-reactions/posts/xxx/reactions-users-list.json`. The
reaction/like button has the same problem — toggling a reaction there
hits the same 403 boundary.
 
This adds a matching guard on the frontend, hiding both the reaction
counter and the reaction button when `post.hidden &&
!post.can_see_hidden_post`. The check is extracted into a shared helper
used by both entry points, and the button keeps its `shouldRender` in
sync with the core like button's decision so it still behaves correctly
in the cases it replaces (e.g. deleted posts).



Before:
<img width="1918" height="917" alt="image"
src="https://github.com/user-attachments/assets/cf5ed458-b9ab-4365-a9ea-43d2a4737df8"
/>

<img width="1917" height="922" alt="image"
src="https://github.com/user-attachments/assets/87c39f7f-5b8b-4555-a877-fe74714e16ca"
/>

After:
<img width="1918" height="921" alt="image"
src="https://github.com/user-attachments/assets/ed6765b6-091a-45b0-af1b-a5b749d08fe1"
/>

---------

Co-authored-by: awesomerobot <kris.aubuchon@discourse.org>

2026-06-08 11:29:35 -04:00

acceptance

FIX: reactions shouldn't be visible to users without see_hidden_post permission if a post is hidden (#40216 )

2026-06-08 11:29:35 -04:00

fixtures

菲码源库

快速导航

产品服务

生态伙伴