SECURITY: Don't leak user of previous whisper post when deleting a topic.

SECURITY: Don’t leak user of previous whisper post when deleting a topic.

A topic’s last poster can be incorrectly set to a user of a whisper post if the whisper post is before the last post and the last post is deleted.

diff --git a/lib/post_destroyer.rb b/lib/post_destroyer.rb
index 04d8c6d..496f7bb 100644
--- a/lib/post_destroyer.rb
+++ b/lib/post_destroyer.rb
@@ -258,6 +258,7 @@ class PostDestroyer
       .select(:created_at, :user_id, :post_number)
       .where("topic_id = ? and id <> ?", @post.topic_id, @post.id)
       .where.not(user_id: nil)
+      .where.not(post_type: Post.types[:whisper])
       .order('created_at desc')
       .limit(1)
       .first
diff --git a/spec/components/post_destroyer_spec.rb b/spec/components/post_destroyer_spec.rb
index e9a005d..9cfc49b 100644
--- a/spec/components/post_destroyer_spec.rb
+++ b/spec/components/post_destroyer_spec.rb
@@ -616,6 +616,22 @@ describe PostDestroyer do
     end
   end
 
+  describe "deleting a post directly after a whisper" do
+    before do
+      SiteSetting.enable_whispers = true
+    end
+
+    it 'should not set Topic#last_post_user_id to a whisperer' do
+      post_1 = create_post(topic: post.topic, user: moderator)
+      whisper_1 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper])
+      whisper_2 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper])
+
+      PostDestroyer.new(admin, whisper_2).destroy
+
+      expect(post.topic.reload.last_post_user_id).to eq(post_1.user.id)
+    end
+  end
+
   context 'deleting the second post in a topic' do
 
     fab!(:user) { Fabricate(:user) }

GitHub sha: 2923abdec7b0915cb00b471ca2c326e5cd975707

This commit appears in #13830 which was approved by ZogStriP. It was merged by tgxworld.