From b96651fa702a83653e1d21c9dc1ac15fae3da0d3 Mon Sep 17 00:00:00 2001
From: Andreas Nedbal <git@pixelde.su>
Date: Thu, 25 Jan 2024 21:48:49 +0100
Subject: [PATCH] Disallow `author` and `anonymous` inbox filter combination

---
 app/models/inbox_filter.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/app/models/inbox_filter.rb b/app/models/inbox_filter.rb
index 1acd21a2a..bf213d9d9 100644
--- a/app/models/inbox_filter.rb
+++ b/app/models/inbox_filter.rb
@@ -10,6 +10,10 @@ class InboxFilter
     anonymous
   ].freeze
 
+  FORBIDDEN_PARAM_GROUPS = [
+    %i[author anonymous]
+  ].freeze
+
   attr_reader :params, :user
 
   def initialize(user, params)
@@ -18,6 +22,8 @@ def initialize(user, params)
   end
 
   def results
+    return Inbox.none unless valid_params?
+
     scope = @user.inboxes
                  .includes(:question, user: :profile)
                  .order(:created_at)
@@ -32,6 +38,10 @@ def results
 
   private
 
+  def valid_params?
+    FORBIDDEN_PARAM_GROUPS.none? { |combination| combination.all? { |key| params.key?(key) } }
+  end
+
   def scope_for(key, value)
     case key.to_s
     when "author"