Don't show the posts and topics if the user has no access to. Fixes #277

flaskbb/user/models.py

@@ -17,7 +17,7 @@ from flaskbb.exceptions import AuthenticationError
 from flaskbb.utils.helpers import time_utcnow
 from flaskbb.utils.settings import flaskbb_config
 from flaskbb.utils.database import CRUDMixin, UTCDateTime
-from flaskbb.forum.models import (Post, Topic, topictracker, TopicsRead,
+from flaskbb.forum.models import (Post, Topic, Forum, topictracker, TopicsRead,
                                   ForumsRead)
 from flaskbb.message.models import Conversation
 
@@ -269,20 +269,40 @@ class User(db.Model, UserMixin, CRUDMixin):
         self.save()
         return self
 
-    def all_topics(self, page):
-        """Returns a paginated result with all topics the user has created."""
-        return Topic.query.\
+    def all_topics(self, page, viewer):
+        """Returns a paginated result with all topics the user has created.
+
+        :param page: The page which should be displayed.
+        :param viewer: The user who is viewing this user. It will return a
+                       list with topics that the *viewer* has access to and
+                       thus it will not display all topics from
+                       the requested user.
+        """
+        group_ids = [g.id for g in viewer.groups]
+        topics = Topic.query.\
             filter(Topic.user_id == self.id,
-                   Topic.id == Post.topic_id).\
-            order_by(Post.id.desc()).\
+                   Forum.id == Topic.forum_id,
+                   Forum.groups.any(Group.id.in_(group_ids))).\
             paginate(page, flaskbb_config['TOPICS_PER_PAGE'], False)
+        return topics
 
-    def all_posts(self, page):
-        """Returns a paginated result with all posts the user has created."""
-        return Post.query.\
-            filter(Post.user_id == self.id).\
-            order_by(Post.id.desc()).\
+    def all_posts(self, page, viewer):
+        """Returns a paginated result with all posts the user has created.
+
+        :param page: The page which should be displayed.
+        :param viewer: The user who is viewing this user. It will return a
+                       list with posts that the *viewer* has access to and
+                       thus it will not display all posts from
+                       the requested user.
+        """
+        group_ids = [g.id for g in viewer.groups]
+        posts = Post.query.\
+            filter(Post.user_id == self.id,
+                   Post.topic_id == Topic.id,
+                   Topic.forum_id == Forum.id,
+                   Forum.groups.any(Group.id.in_(group_ids))).\
             paginate(page, flaskbb_config['TOPICS_PER_PAGE'], False)
+        return posts
 
     def track_topic(self, topic):
         """Tracks the specified topic.

flaskbb/user/views.py

@@ -35,7 +35,7 @@ def profile(username):
 def view_all_topics(username):
     page = request.args.get("page", 1, type=int)
     user = User.query.filter_by(username=username).first_or_404()
-    topics = user.all_topics(page)
+    topics = user.all_topics(page, current_user)
     return render_template("user/all_topics.html", user=user, topics=topics)
 
 
@@ -43,7 +43,7 @@ def view_all_topics(username):
 def view_all_posts(username):
     page = request.args.get("page", 1, type=int)
     user = User.query.filter_by(username=username).first_or_404()
-    posts = user.all_posts(page)
+    posts = user.all_posts(page, current_user)
     return render_template("user/all_posts.html", user=user, posts=posts)