Don't show hidden notes to non-moderators in the user notes list

Fixes #921

app/controllers/notes_controller.rb

@@ -283,7 +283,9 @@ class NotesController < ApplicationController
         @description = t "note.mine.subheading", :user => render_to_string(:partial => "user", :object => @this_user)
         @page = (params[:page] || 1).to_i
         @page_size = 10
-        @notes = @this_user.notes.order("updated_at DESC, id").uniq.offset((@page - 1) * @page_size).limit(@page_size).preload(:comments => :author).to_a
+        @notes = @this_user.notes
+        @notes = @notes.visible unless @user && @user.moderator?
+        @notes = @notes.order("updated_at DESC, id").uniq.offset((@page - 1) * @page_size).limit(@page_size).preload(:comments => :author).to_a
       else
         @title = t "user.no_such_user.title"
         @not_found_user = params[:display_name]

test/controllers/notes_controller_test.rb

@@ -872,9 +872,24 @@ class NotesControllerTest < ActionController::TestCase
   def test_mine_success
     get :mine, :display_name => "test"
     assert_response :success
+    assert_select "table.note_list tr", :count => 2
 
     get :mine, :display_name => "pulibc_test2"
     assert_response :success
+    assert_select "table.note_list tr", :count => 3
+
+    get :mine, :display_name => "non-existent"
+    assert_response :not_found
+
+    session[:user] = users(:moderator_user).id
+
+    get :mine, :display_name => "test"
+    assert_response :success
+    assert_select "table.note_list tr", :count => 2
+
+    get :mine, :display_name => "pulibc_test2"
+    assert_response :success
+    assert_select "table.note_list tr", :count => 4
 
     get :mine, :display_name => "non-existent"
     assert_response :not_found

test/fixtures/note_comments.yml

@@ -113,3 +113,12 @@ t13:
   event: closed
   created_at: 2007-03-01 00:00:00
   author_id: 4
+
+t14:
+  id: 14
+  note_id: 8
+  visible: true
+  event: commented
+  created_at: 2007-02-01 00:00:00
+  author_id: 4
+  body: 'A comment description'

test/fixtures/notes.yml

@@ -65,3 +65,49 @@ note_closed_by_user:
   created_at: 2007-01-01 00:00:00
   updated_at: 2007-03-01 00:00:00
   closed_at:  2007-03-01 00:00:00
+
+hidden_note_with_comment:
+  id: 4
+  latitude: <%= 1.3*SCALE %>
+  longitude: <%= 1.3*SCALE %>
+  status: hidden
+  tile: <%= QuadTile.tile_for_point(1.3,1.3) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00
+
+note_with_hidden_comment:
+  id: 5
+  latitude: <%= 1.4*SCALE %>
+  longitude: <%= 1.4*SCALE %>
+  status: open
+  tile: <%= QuadTile.tile_for_point(1.4,1.4) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00
+
+note_with_comments_by_users:
+  id: 6
+  latitude: <%= 1.5*SCALE %>
+  longitude: <%= 1.5*SCALE %>
+  status: open
+  tile: <%= QuadTile.tile_for_point(1.5,1.5) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00
+
+note_closed_by_user:
+  id: 7
+  latitude: <%= 1.6*SCALE %>
+  longitude: <%= 1.6*SCALE %>
+  status: closed
+  tile: <%= QuadTile.tile_for_point(1.6,1.6) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00
+  closed_at:  2007-03-01 00:00:00
+
+hidden_note_with_comment_by_user:
+  id: 8
+  latitude: <%= 1.3*SCALE %>
+  longitude: <%= 1.3*SCALE %>
+  status: hidden
+  tile: <%= QuadTile.tile_for_point(1.3,1.3) %>
+  created_at: 2007-01-01 00:00:00
+  updated_at: 2007-03-01 00:00:00