From 9534969c050054cac3a9a19311cbef23d84fda54 Mon Sep 17 00:00:00 2001
From: Mikael Nordfeldth <mmn@hethane.se>
Date: Wed, 2 Mar 2016 12:18:16 +0100
Subject: [PATCH] Don't set is_local=LOCAL_NONPUBLIC on sandboxed user notices

Let's decide whether they are nonpublic by testing them when the notice
is shown instead.
---
 classes/Notice.php            | 17 +++++++----------
 lib/filteringnoticestream.php |  3 +++
 lib/moderatednoticestream.php |  7 +++++--
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/classes/Notice.php b/classes/Notice.php
index fcc544e2ea..f8bdbcd340 100644
--- a/classes/Notice.php
+++ b/classes/Notice.php
@@ -508,11 +508,7 @@ class Notice extends Managed_DataObject
         $notice->profile_id = $profile_id;
 
         $autosource = common_config('public', 'autosource');
-
-        // Sandboxed are non-false, but not 1, either
-
-        if (!$profile->hasRight(Right::PUBLICNOTICE) ||
-            ($source && $autosource && in_array($source, $autosource))) {
+        if ($source && $autosource && in_array($source, $autosource)) {
             $notice->is_local = Notice::LOCAL_NONPUBLIC;
         } else {
             $notice->is_local = $is_local;
@@ -822,12 +818,13 @@ class Notice extends Managed_DataObject
             }
         }
 
-        $autosource = common_config('public', 'autosource');
+        // NOTE: Sandboxed users previously got all the notices _during_
+        // sandbox period set to to is_local=Notice::LOCAL_NONPUBLIC here.
+        // Since then we have started just filtering _when_ it gets shown
+        // instead of creating a mixed jumble of differently scoped notices.
 
-        // Sandboxed are non-false, but not 1, either
-        if (!$actor->hasRight(Right::PUBLICNOTICE) ||
-                ($source && $autosource && in_array($source, $autosource))) {
-            // FIXME: ...what about remote nonpublic? Hmmm. That is, if we sandbox remote profiles...
+        $autosource = common_config('public', 'autosource');
+        if ($source && $autosource && in_array($source, $autosource)) {
             $stored->is_local = Notice::LOCAL_NONPUBLIC;
         } else {
             $stored->is_local = intval($is_local);
diff --git a/lib/filteringnoticestream.php b/lib/filteringnoticestream.php
index 979305ad39..c1edfc6387 100644
--- a/lib/filteringnoticestream.php
+++ b/lib/filteringnoticestream.php
@@ -54,6 +54,9 @@ abstract class FilteringNoticeStream extends NoticeStream
         $this->upstream = $upstream;
     }
 
+    /**
+     * @return boolean  true if we allow it, false if we deny it
+     */
     abstract protected function filter(Notice $notice);
 
     function getNoticeIds($offset, $limit, $since_id, $max_id)
diff --git a/lib/moderatednoticestream.php b/lib/moderatednoticestream.php
index 3c778d8a2c..f984256acc 100644
--- a/lib/moderatednoticestream.php
+++ b/lib/moderatednoticestream.php
@@ -28,8 +28,11 @@ class ModeratedNoticeStream extends ScopingNoticeStream
 
         // If the notice author is sandboxed
         if ($notice->getProfile()->isSandboxed()) {
-            // and we're either not logged in OR we aren't some kind of privileged user that can see spam etc.
-            if (!$this->scoped instanceof Profile || !$this->scoped->hasRight(Right::REVIEWSPAM)) {
+            if (!$this->scoped instanceof Profile) {
+                // Non-logged in users don't get to see posts by sandboxed users
+                return false;
+            } elseif (!$notice->getProfile()->sameAs($this->scoped) && !$this->scoped->hasRight(Right::REVIEWSPAM)) {
+                // And if we are logged in, deny if scoped user is neither the author nor has the right to review spam
                 return false;
             }
         }