fix #826: unapproved posts flag shown to non-moderators

misago/templates/misago/threadslist/thread.html

@@ -40,7 +40,7 @@
           {% trans "Unapproved" %}
         </span>
       </span>
-    {% elif thread.has_unapproved_posts %}
+    {% elif thread.has_unapproved_posts and thread.acl.can_approve %}
       <span class="thread-detail-unapproved-posts">
         <span class="material-icon">
           remove_circle_outline

misago/threads/serializers/thread.py

@@ -26,6 +26,7 @@ class ThreadSerializer(serializers.ModelSerializer, MutableFields):
     category = BasicCategorySerializer(many=False, read_only=True)
 
     acl = serializers.SerializerMethodField()
+    has_unapproved_posts = serializers.SerializerMethodField()
     is_new = serializers.SerializerMethodField()
     is_read = serializers.SerializerMethodField()
     path = BasicCategorySerializer(many=True, read_only=True)
@@ -68,6 +69,14 @@ class ThreadSerializer(serializers.ModelSerializer, MutableFields):
         except AttributeError:
             return {}
 
+    def get_has_unapproved_posts(self, obj):
+        try:
+            acl = obj.acl
+        except AttributeError:
+            return False
+
+        return acl.get('can_approve') and obj.has_unapproved_posts
+
     def get_is_new(self, obj):
         try:
             return obj.is_new
@@ -139,7 +148,6 @@ class ThreadsListSerializer(ThreadSerializer):
     starter = serializers.SerializerMethodField()
     last_poster = serializers.SerializerMethodField()
 
-
     class Meta:
         model = Thread
         fields = ThreadSerializer.Meta.fields + [

misago/threads/tests/test_threads_api.py

@@ -162,6 +162,33 @@ class ThreadRetrieveApiTests(ThreadsApiTestCase):
         response = self.client.get(self.tested_links[1])
         self.assertContains(response, unapproved_post.get_absolute_url())
 
+    def test_api_validates_has_unapproved_posts_visibility(self):
+        """api checks acl before exposing unapproved flag"""
+        self.thread.has_unapproved_posts = True
+        self.thread.save()
+
+        for link in self.tested_links:
+            self.override_acl()
+
+            response = self.client.get(link)
+            self.assertEqual(response.status_code, 200)
+
+            response_json = response.json()
+            self.assertEqual(response_json['id'], self.thread.pk)
+            self.assertEqual(response_json['title'], self.thread.title)
+            self.assertFalse(response_json['has_unapproved_posts'])
+
+        for link in self.tested_links:
+            self.override_acl({'can_approve_content': 1})
+
+            response = self.client.get(link)
+            self.assertEqual(response.status_code, 200)
+
+            response_json = response.json()
+            self.assertEqual(response_json['id'], self.thread.pk)
+            self.assertEqual(response_json['title'], self.thread.title)
+            self.assertTrue(response_json['has_unapproved_posts'])
+
 
 class ThreadsReadApiTests(ThreadsApiTestCase):
     def setUp(self):