\XF\ControllerPlugin\Reaction::actionReactions
[php]
$reactionsFinder = $reactionRepo->findContentReactions($contentType, $contentId, $reactionId)
->limitByPage($page, $perPage, 1);
$reactions = $reactionsFinder->fetch();
if (!count($reactions))
{
return $this->message(\XF::phrase('no_one_has_reacted_to_this_content_yet'));
}
$hasNext = count($reactions) > $perPage;
$reactions = $reactions->slice(0, $perPage);
$tabSummary = $reactionRepo->getContentTabSummary($contentType, $contentId);
$viewParams = [
[...]
'reactions' => $reactions,
[/php]
This code fetches the reactions and passes them through to the view without checking canView on the entity.
So if this method is modified by a class extension it won't have any effect here, effectively displaying reactions probably that should not be viewable.
It would be great if this could be modified so canView does get checked, maybe similar to what is done in XF\Pub\Controller\Account:
[php]
$reactions = $reactions->filter(function(\XF\Entity\ReactionContent $reaction)
{
return $reaction->canView() && $reaction->isRenderable();
});
[/php]
