From 2737280fa498ddb468cdb433d39d8f7bb3e3fd56 Mon Sep 17 00:00:00 2001
From: cmrd Senya <senya@riseup.net>
Date: Mon, 25 Apr 2016 17:39:01 +0000
Subject: [PATCH] Don't include wrong shareable types in scopes

---
 lib/diaspora/shareable.rb           |  7 ++++---
 spec/lib/diaspora/shareable_spec.rb | 25 +++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/lib/diaspora/shareable.rb b/lib/diaspora/shareable.rb
index a4c58ed86..28efb8a84 100644
--- a/lib/diaspora/shareable.rb
+++ b/lib/diaspora/shareable.rb
@@ -21,11 +21,13 @@ module Diaspora
         scope :all_public, -> { where(public: true, pending: false) }
 
         scope :with_visibility, -> {
-          joins("LEFT OUTER JOIN share_visibilities ON share_visibilities.shareable_id = #{table_name}.id")
+          joins("LEFT OUTER JOIN share_visibilities ON share_visibilities.shareable_id = #{table_name}.id AND "\
+            "share_visibilities.shareable_type = '#{base_class}'")
         }
 
         scope :with_aspects, -> {
-          joins("LEFT OUTER JOIN aspect_visibilities ON aspect_visibilities.shareable_id = #{table_name}.id")
+          joins("LEFT OUTER JOIN aspect_visibilities ON aspect_visibilities.shareable_id = #{table_name}.id AND "\
+          " aspect_visibilities.shareable_type = '#{base_class}'")
         }
 
         def self.owned_or_visible_by_user(user)
@@ -57,7 +59,6 @@ module Diaspora
 
         def self.visible_by_user(user)
           ShareVisibility.arel_table[:user_id].eq(user.id)
-            .and(ShareVisibility.arel_table[:shareable_type].eq(base_class.to_s))
         end
         private_class_method :visible_by_user
       end
diff --git a/spec/lib/diaspora/shareable_spec.rb b/spec/lib/diaspora/shareable_spec.rb
index b98434106..29e4c0503 100644
--- a/spec/lib/diaspora/shareable_spec.rb
+++ b/spec/lib/diaspora/shareable_spec.rb
@@ -17,5 +17,30 @@ describe Diaspora::Shareable do
         expect(Post.all_public.map(&:id)).to eq([])
       end
     end
+
+    context "having multiple objects with equal db IDs" do
+      before do
+        # Determine the next database key ID, free on both Photo and StatusMessage
+        id = [Photo, StatusMessage].map {|model| model.maximum(:id).try(:next).to_i }.push(1).max
+
+        alice.post(:status_message, id: id, text: "I'm #{alice.username}", to: alice.aspects.first.id, public: false)
+        alice.post(:photo, id: id, user_file: uploaded_photo, to: alice.aspects.first.id, public: false)
+        expect(StatusMessage.where(id: id)).to exist
+        expect(Photo.where(id: id)).to exist
+      end
+
+      {with_visibility: ShareVisibility, with_aspects: AspectVisibility}.each do |method, visibility_class|
+        describe ".#{method}" do
+          it "includes only object of a right type" do
+            [Photo, Post].each do |klass|
+              expect(klass.send(method).where(visibility_class.arel_table[:shareable_type].eq(klass.to_s)).count)
+                .not_to eq(0)
+              expect(klass.send(method).where.not(visibility_class.arel_table[:shareable_type].eq(klass.to_s)).count)
+                .to eq(0)
+            end
+          end
+        end
+      end
+    end
   end
 end