Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec/lib/guardian_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

3953 lines
136 KiB
Ruby
Raw Normal View History

DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-29 20:27:42 -04:00
# frozen_string_literal: true
Initial release of Discourse
2013-02-05 14:16:51 -05:00
require 'guardian'
describe Guardian do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:user) { Fabricate(:user) }
Brought prefabrication of another_user to the top level
2019-05-06 06:16:39 -04:00
fab!(:another_user) { Fabricate(:user) }
PERF: Make tests faster by prefabricating more things (#15370)
2021-12-20 13:59:10 -05:00
fab!(:member) { Fabricate(:user) }
fab!(:owner) { Fabricate(:user) }
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:moderator) { Fabricate(:moderator) }
fab!(:admin) { Fabricate(:admin) }
fab!(:anonymous_user) { Fabricate(:anonymous) }
Prefabricate staff_post at the top level
2019-05-06 09:05:53 -04:00
fab!(:staff_post) { Fabricate(:post, user: moderator) }
Prefabricate group at the top level
2019-05-06 09:11:28 -04:00
fab!(:group) { Fabricate(:group) }
fab!(:another_group) { Fabricate(:group) }
Moved automatic_group fabrication to top level
2019-05-06 09:13:28 -04:00
fab!(:automatic_group) { Fabricate(:group, automatic: true) }
Prefabricate category
2019-05-07 04:37:42 -04:00
fab!(:plain_category) { Fabricate(:category) }
Prefabricate staff_post at the top level
2019-05-06 09:05:53 -04:00
FIX: ignore min_trust_to_send_messages when messaging groups (#8104) This means that TL0 users can message groups with "Who can message this group?" set to "Everyone". It also means that members of a group with "Who can message this group?" set to "members, moderators and admins" can also message the group, even when their trust level is below min_trust_to_send_messages.
2019-09-18 15:23:13 -04:00
let(:trust_level_0) { build(:user, trust_level: 0) }
FEATURE: Introducing new UI for changing User's notification levels (#7248) * FEATURE: Introducing new UI for tracking User's ignored or muted states
2019-03-27 05:41:50 -04:00
let(:trust_level_1) { build(:user, trust_level: 1) }
FEATURE: allow users to wikify their own posts based on trust level
2016-01-11 10:26:00 -05:00
let(:trust_level_2) { build(:user, trust_level: 2) }
remove elder terminology in specs
2014-09-05 02:52:40 -04:00
let(:trust_level_3) { build(:user, trust_level: 3) }
let(:trust_level_4) { build(:user, trust_level: 4) }
Automatically flag someone as a spammer if their posts get at least X spam flags from N users while their trust level is 'new user'. Staff can clear and set this status from the user record in admin.
2013-05-31 11:41:40 -04:00
let(:another_admin) { build(:admin) }
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
let(:coding_horror) { build(:coding_horror) }
Initial release of Discourse
2013-02-05 14:16:51 -05:00
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
let(:topic) { build(:topic, user: user) }
let(:post) { build(:post, topic: topic, user: topic.user) }
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'can be created without a user (not logged in)' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect { Guardian.new }.not_to raise_error
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Easier helper for filtering secured categories
2015-02-12 11:52:59 -05:00
it 'can be instantiated with a user instance' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect { Guardian.new(user) }.not_to raise_error
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: New site setting, whitelisted_link_domains If provided, users who normally couldn't post links (say, due to a low trust level), can post links to those specific hosts.
2018-06-13 14:57:32 -04:00
describe "link_posting_access" do
it "is none for anonymous users" do
expect(Guardian.new.link_posting_access).to eq('none')
end
it "is full for regular users" do
expect(Guardian.new(user).link_posting_access).to eq('full')
end
it "is none for a user of a low trust level" do
user.trust_level = 0
SiteSetting.min_trust_to_post_links = 1
expect(Guardian.new(user).link_posting_access).to eq('none')
end
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
2020-07-26 20:23:54 -04:00
it "is limited for a user of a low trust level with a allowlist" do
SiteSetting.allowed_link_domains = 'example.com'
FEATURE: New site setting, whitelisted_link_domains If provided, users who normally couldn't post links (say, due to a low trust level), can post links to those specific hosts.
2018-06-13 14:57:32 -04:00
user.trust_level = 0
SiteSetting.min_trust_to_post_links = 1
expect(Guardian.new(user).link_posting_access).to eq('limited')
end
end
FIX: Don't show the link button in the composer if linking is disabled
2018-02-08 12:56:10 -05:00
describe "can_post_link?" do
FEATURE: New site setting, whitelisted_link_domains If provided, users who normally couldn't post links (say, due to a low trust level), can post links to those specific hosts.
2018-06-13 14:57:32 -04:00
let(:host) { "discourse.org" }
FIX: Don't show the link button in the composer if linking is disabled
2018-02-08 12:56:10 -05:00
it "returns false for anonymous users" do
FEATURE: New site setting, whitelisted_link_domains If provided, users who normally couldn't post links (say, due to a low trust level), can post links to those specific hosts.
2018-06-13 14:57:32 -04:00
expect(Guardian.new.can_post_link?(host: host)).to eq(false)
FIX: Don't show the link button in the composer if linking is disabled
2018-02-08 12:56:10 -05:00
end
it "returns true for a regular user" do
FEATURE: New site setting, whitelisted_link_domains If provided, users who normally couldn't post links (say, due to a low trust level), can post links to those specific hosts.
2018-06-13 14:57:32 -04:00
expect(Guardian.new(user).can_post_link?(host: host)).to eq(true)
FIX: Don't show the link button in the composer if linking is disabled
2018-02-08 12:56:10 -05:00
end
it "supports customization by site setting" do
user.trust_level = 0
SiteSetting.min_trust_to_post_links = 0
FEATURE: New site setting, whitelisted_link_domains If provided, users who normally couldn't post links (say, due to a low trust level), can post links to those specific hosts.
2018-06-13 14:57:32 -04:00
expect(Guardian.new(user).can_post_link?(host: host)).to eq(true)
FIX: Don't show the link button in the composer if linking is disabled
2018-02-08 12:56:10 -05:00
SiteSetting.min_trust_to_post_links = 1
FEATURE: New site setting, whitelisted_link_domains If provided, users who normally couldn't post links (say, due to a low trust level), can post links to those specific hosts.
2018-06-13 14:57:32 -04:00
expect(Guardian.new(user).can_post_link?(host: host)).to eq(false)
end
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
2020-07-26 20:23:54 -04:00
describe "allowlisted host" do
FEATURE: New site setting, whitelisted_link_domains If provided, users who normally couldn't post links (say, due to a low trust level), can post links to those specific hosts.
2018-06-13 14:57:32 -04:00
before do
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
2020-07-26 20:23:54 -04:00
SiteSetting.allowed_link_domains = host
FEATURE: New site setting, whitelisted_link_domains If provided, users who normally couldn't post links (say, due to a low trust level), can post links to those specific hosts.
2018-06-13 14:57:32 -04:00
end
it "allows a new user to post the link to the host" do
user.trust_level = 0
SiteSetting.min_trust_to_post_links = 1
expect(Guardian.new(user).can_post_link?(host: host)).to eq(true)
expect(Guardian.new(user).can_post_link?(host: 'another-host.com')).to eq(false)
end
FIX: Don't show the link button in the composer if linking is disabled
2018-02-08 12:56:10 -05:00
end
end
FIX: Don't allow other flag actions after `notify_moderator` has happened. https://meta.discourse.org/t/receiving-sorry-an-error-has-occurred-during-flagging-step-of-discobot-tutorial/77233/5
2018-02-27 22:22:51 -05:00
describe '#post_can_act?' do
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
let(:post) { build(:post) }
let(:user) { build(:user) }
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it "returns false when the user is nil" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).post_can_act?(post, :like)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns false when the post is nil" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(nil, :like)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns false when the topic is archived" do
post.topic.archived = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :like)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: use PostDestroyer when deleting/recovering a topic
2014-08-07 13:12:35 -04:00
it "returns false when the post is deleted" do
post.deleted_at = Time.now
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :like)).to be_falsey
FIX: Sending a PM through a flag on a deleted post Because we allow all the other flag types on a deleted post we should be able to send a pm to the user letting them know why we deleted their post. Bug report: https://meta.discourse.org/t/-/161156
2020-08-19 19:31:40 -04:00
expect(Guardian.new(admin).post_can_act?(post, :spam)).to be_truthy
expect(Guardian.new(admin).post_can_act?(post, :notify_user)).to be_truthy
FIX: use PostDestroyer when deleting/recovering a topic
2014-08-07 13:12:35 -04:00
end
FIX: Allow silenced users to like / bookmark, just not flag.
2018-08-17 11:06:01 -04:00
it "works as expected for silenced users" do
FIX: Silenced users shouldn't be able to act on posts
2018-08-14 11:43:39 -04:00
UserSilencer.silence(user, admin)
expect(Guardian.new(user).post_can_act?(post, :spam)).to be_falsey
FIX: Allow silenced users to like / bookmark, just not flag.
2018-08-17 11:06:01 -04:00
expect(Guardian.new(user).post_can_act?(post, :like)).to be_truthy
expect(Guardian.new(user).post_can_act?(post, :bookmark)).to be_truthy
FIX: Silenced users shouldn't be able to act on posts
2018-08-14 11:43:39 -04:00
end
FEATURE: New site setting, `allow staff flags`, false by default For some large communities, it makes sense to disable flagging of staff posts.
2018-02-12 14:56:21 -05:00
it "allows flagging archived posts" do
refactor guardian class for clarity & correctness introduce NullUser to avoid type-checking DRY up code reduce number of multiple returns remove some redundant/impossible logic branches add pending test for possible bug add test & fix for ability to flag archived posts add #secure_category? method to topic class Fix bug that prevented flagging of archived topics Rename NullUser to AnonymousUser DRY up can_<action>? methods Fix some ownership logic, and a test, for Guardian
2013-05-20 02:04:53 -04:00
post.topic.archived = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :spam)).to be_truthy
refactor guardian class for clarity & correctness introduce NullUser to avoid type-checking DRY up code reduce number of multiple returns remove some redundant/impossible logic branches add pending test for possible bug add test & fix for ability to flag archived posts add #secure_category? method to topic class Fix bug that prevented flagging of archived topics Rename NullUser to AnonymousUser DRY up can_<action>? methods Fix some ownership logic, and a test, for Guardian
2013-05-20 02:04:53 -04:00
end
Enforce disabling flagging hidden posts server-side
2018-11-05 10:00:59 -05:00
it "does not allow flagging of hidden posts" do
post.hidden = true
expect(Guardian.new(user).post_can_act?(post, :spam)).to be_falsey
end
Rename `allow staff flags` to `allow flagging staff`
2018-02-12 15:27:05 -05:00
it "allows flagging of staff posts when allow_flagging_staff is true" do
SiteSetting.allow_flagging_staff = true
FEATURE: New site setting, `allow staff flags`, false by default For some large communities, it makes sense to disable flagging of staff posts.
2018-02-12 14:56:21 -05:00
expect(Guardian.new(user).post_can_act?(staff_post, :spam)).to be_truthy
end
FIX: `Guardian#post_can_act?` shouldn't raise an error if user of post has been deleted.
2018-08-17 03:10:07 -04:00
describe 'when allow_flagging_staff is false' do
before do
SiteSetting.allow_flagging_staff = false
end
it "doesn't allow flagging of staff posts" do
expect(Guardian.new(user).post_can_act?(staff_post, :spam)).to eq(false)
end
it "allows flagging of staff posts when staff has been deleted" do
staff_post.user.destroy!
staff_post.reload
expect(Guardian.new(user).post_can_act?(staff_post, :spam)).to eq(true)
end
it "allows liking of staff" do
expect(Guardian.new(user).post_can_act?(staff_post, :like)).to eq(true)
end
FIX: Couldn't like staff when `allow_flagging_staff` was set
2018-02-14 15:46:04 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it "returns false when liking yourself" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(post.user).post_can_act?(post, :like)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns false when you've already done it" do
PERF: Avoid calling expensive `PostGuardian#can_see_post?` multiple times. Before ``` Your Results: (note for timings- percentile is first, duration is second in millisecs) --- topic_admin: 50: 19 75: 19 90: 21 99: 27 topic: 50: 56 75: 62 90: 64 99: 99 timings: load_rails: 1262 ruby-version: 2.4.1-p111 rss_kb: 198432 pss_kb: 136612 virtual: physical architecture: amd64 operatingsystem: Ubuntu memorysize: 15.59 GB kernelversion: 4.10.0 physicalprocessorcount: 1 processor0: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz rss_kb_9877: 327892 pss_kb_9877: 263671 rss_kb_9946: 325468 pss_kb_9946: 261671 rss_kb_10153: 326456 pss_kb_10153: 262657 ``` After ``` Your Results: (note for timings- percentile is first, duration is second in millisecs) --- topic_admin: 50: 18 75: 18 90: 20 99: 28 topic: 50: 41 75: 42 90: 46 99: 49 timings: load_rails: 1201 ruby-version: 2.4.1-p111 rss_kb: 187936 pss_kb: 123596 virtual: physical architecture: amd64 operatingsystem: Ubuntu memorysize: 15.59 GB kernelversion: 4.10.0 physicalprocessorcount: 1 processor0: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz rss_kb_26478: 342360 pss_kb_26478: 276696 rss_kb_26547: 340368 pss_kb_26547: 275930 rss_kb_26747: 338964 pss_kb_26747: 274466 ```
2017-09-08 01:07:22 -04:00
expect(Guardian.new(user).post_can_act?(post, :like, opts: {
taken_actions: { PostActionType.types[:like] => 1 }
})).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
remove trailing whitespaces :heart:
2013-02-25 11:42:20 -05:00
it "returns false when you already flagged a post" do
FIX: Don't allow other flag actions after `notify_moderator` has happened. https://meta.discourse.org/t/receiving-sorry-an-error-has-occurred-during-flagging-step-of-discobot-tutorial/77233/5
2018-02-27 22:22:51 -05:00
PostActionType.notify_flag_types.each do |type, _id|
expect(Guardian.new(user).post_can_act?(post, :off_topic, opts: {
taken_actions: { PostActionType.types[type] => 1 }
})).to be_falsey
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: when private messages are disabled in settings, flag modal shouldn't show private message options
2014-12-19 16:47:39 -05:00
it "returns false for notify_user if private messages are disabled" do
rename 'enable_private_messages' to 'enable_personal_messages'
2018-01-31 01:03:12 -05:00
SiteSetting.enable_personal_messages = false
FIX: when private messages are disabled in settings, flag modal shouldn't show private message options
2014-12-19 16:47:39 -05:00
user.trust_level = TrustLevel[2]
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :notify_user)).to be_falsey
FIX: when private messages are disabled in settings, flag modal shouldn't show private message options
2014-12-19 16:47:39 -05:00
end
FIX: allow sending PMs to staff via flag even when PMs are disabled (#6938) * FIX: allow sending PMs to staff via flag even when PMs are disabled FIX: allow sending PMs to staff via flag even if the user trust level is insufficient * Update lib/topic_creator.rb Co-Authored-By: techAPJ <arpit@techapj.com>
2019-01-24 06:26:59 -05:00
it "returns false for notify_user if private messages are enabled but threshold not met" do
rename 'enable_private_messages' to 'enable_personal_messages'
2018-01-31 01:03:12 -05:00
SiteSetting.enable_personal_messages = true
FEATURE: make trust level for message sending configurable - add min_trust_to_send_messages site setting (default 1) to allow admins to configure when messages can be sent between members
2015-10-11 20:15:38 -04:00
SiteSetting.min_trust_to_send_messages = 2
user.trust_level = TrustLevel[1]
expect(Guardian.new(user).post_can_act?(post, :notify_user)).to be_falsey
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
describe "trust levels" do
it "returns true for a new user liking something" do
Internal renaming of elder,leader,regular,basic to numbers Changed internals so trust levels are referred to with TrustLevel[1], TrustLevel[2] etc. This gives us much better flexibility naming trust levels, these names are meant to be controlled by various communities.
2014-09-05 01:20:39 -04:00
user.trust_level = TrustLevel[0]
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :like)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: a setting to customize the minimum TL to flag a post
2018-02-06 17:12:27 -05:00
it "returns false for a new user flagging as spam" do
Internal renaming of elder,leader,regular,basic to numbers Changed internals so trust levels are referred to with TrustLevel[1], TrustLevel[2] etc. This gives us much better flexibility naming trust levels, these names are meant to be controlled by various communities.
2014-09-05 01:20:39 -04:00
user.trust_level = TrustLevel[0]
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :spam)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: a setting to customize the minimum TL to flag a post
2018-02-06 17:12:27 -05:00
it "returns true for a new user flagging as spam if enabled" do
SiteSetting.min_trust_to_flag_posts = 0
user.trust_level = TrustLevel[0]
expect(Guardian.new(user).post_can_act?(post, :spam)).to be_truthy
end
FIX: all PMs should be flaggable
2015-01-08 10:06:43 -05:00
it "returns true for a new user flagging a private message as spam" do
Use prefabricated admin instead of creating new ones
2019-05-06 06:14:35 -04:00
post = Fabricate(:private_message_post, user: admin)
FIX: all PMs should be flaggable
2015-01-08 10:06:43 -05:00
user.trust_level = TrustLevel[0]
SECURITY: Users can only bookmark posts which they can see.
2016-12-20 23:01:26 -05:00
post.topic.allowed_users << user
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :spam)).to be_truthy
FIX: all PMs should be flaggable
2015-01-08 10:06:43 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it "returns false for a new user flagging something as off topic" do
Internal renaming of elder,leader,regular,basic to numbers Changed internals so trust levels are referred to with TrustLevel[1], TrustLevel[2] etc. This gives us much better flexibility naming trust levels, these names are meant to be controlled by various communities.
2014-09-05 01:20:39 -04:00
user.trust_level = TrustLevel[0]
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :off_topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: don't show option to flag with notify_user to trust level 0 users. they can't send private messages.
2014-03-10 11:48:27 -04:00
it "returns false for a new user flagging with notify_user" do
Internal renaming of elder,leader,regular,basic to numbers Changed internals so trust levels are referred to with TrustLevel[1], TrustLevel[2] etc. This gives us much better flexibility naming trust levels, these names are meant to be controlled by various communities.
2014-09-05 01:20:39 -04:00
user.trust_level = TrustLevel[0]
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :notify_user)).to be_falsey # because new users can't send private messages
FIX: don't show option to flag with notify_user to trust level 0 users. they can't send private messages.
2014-03-10 11:48:27 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
Allow staff members to enable safe mode, even if disabled
2018-04-25 11:46:54 -04:00
describe "can_enable_safe_mode" do
let(:user) { Fabricate.build(:user) }
let(:moderator) { Fabricate.build(:moderator) }
context "when enabled" do
before do
SiteSetting.enable_safe_mode = true
end
it "can be performed" do
expect(Guardian.new.can_enable_safe_mode?).to eq(true)
expect(Guardian.new(user).can_enable_safe_mode?).to eq(true)
expect(Guardian.new(moderator).can_enable_safe_mode?).to eq(true)
end
end
context "when disabled" do
before do
SiteSetting.enable_safe_mode = false
end
it "can be performed" do
expect(Guardian.new.can_enable_safe_mode?).to eq(false)
expect(Guardian.new(user).can_enable_safe_mode?).to eq(false)
expect(Guardian.new(moderator).can_enable_safe_mode?).to eq(true)
end
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
describe 'can_send_private_message' do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:suspended_user) { Fabricate(:user, suspended_till: 1.week.from_now, suspended_at: 1.day.ago) }
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it "returns false when the user is nil" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_send_private_message?(user)).to be_falsey
remove trailing whitespaces :heart:
2013-02-25 11:42:20 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it "returns false when the target user is nil" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_send_private_message?(nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: allow people to send messages to themselves (for notes etc)
2016-07-03 21:36:43 -04:00
it "returns true when the target is the same as the user" do
# this is now allowed so yay
expect(Guardian.new(user).can_send_private_message?(user)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Revert "FIX: TL0 users' messages to moderators were not being posted when flagging private messages"
2017-10-23 17:19:30 -04:00
it "returns false when you are untrusted" do
user.trust_level = TrustLevel[0]
expect(Guardian.new(user).can_send_private_message?(another_user)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns true to another user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_send_private_message?(another_user)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Allow contact user to send private messages even if enable_private_messages is false
2014-04-23 17:00:22 -04:00
FEATURE: make trust level for message sending configurable - add min_trust_to_send_messages site setting (default 1) to allow admins to configure when messages can be sent between members
2015-10-11 20:15:38 -04:00
it "disallows pms to other users if trust level is not met" do
SiteSetting.min_trust_to_send_messages = TrustLevel[2]
user.trust_level = TrustLevel[1]
expect(Guardian.new(user).can_send_private_message?(another_user)).to be_falsey
end
rename 'enable_private_messages' to 'enable_personal_messages'
2018-01-31 01:03:12 -05:00
context "enable_personal_messages is false" do
before { SiteSetting.enable_personal_messages = false }
Allow contact user to send private messages even if enable_private_messages is false
2014-04-23 17:00:22 -04:00
FIX: allow staff members to send PMs when enable_private_messages is disabled
2017-02-22 01:02:09 -05:00
it "returns false if user is not staff member" do
expect(Guardian.new(trust_level_4).can_send_private_message?(another_user)).to be_falsey
Allow contact user to send private messages even if enable_private_messages is false
2014-04-23 17:00:22 -04:00
end
FIX: allow staff members to send PMs when enable_private_messages is disabled
2017-02-22 01:02:09 -05:00
it "returns true for staff member" do
expect(Guardian.new(moderator).can_send_private_message?(another_user)).to be_truthy
expect(Guardian.new(admin).can_send_private_message?(another_user)).to be_truthy
Allow contact user to send private messages even if enable_private_messages is false
2014-04-23 17:00:22 -04:00
end
end
Don't allow sending private messages to suspended users. Emails to suspended users should tell them how to respond, since they can't.
2014-05-06 15:01:19 -04:00
context "target user is suspended" do
it "returns true for staff" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_send_private_message?(suspended_user)).to be_truthy
expect(Guardian.new(moderator).can_send_private_message?(suspended_user)).to be_truthy
Don't allow sending private messages to suspended users. Emails to suspended users should tell them how to respond, since they can't.
2014-05-06 15:01:19 -04:00
end
it "returns false for regular users" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_send_private_message?(suspended_user)).to be_falsey
Don't allow sending private messages to suspended users. Emails to suspended users should tell them how to respond, since they can't.
2014-05-06 15:01:19 -04:00
end
end
FEATURE: blocked users can send and reply to private messages from staff
2016-01-22 12:54:18 -05:00
Rename "Blocked" to "Silenced"
2017-11-10 12:18:08 -05:00
context "author is silenced" do
FEATURE: blocked users can send and reply to private messages from staff
2016-01-22 12:54:18 -05:00
before do
FEATURE: Support an end date for user silencing
2017-11-13 13:41:36 -05:00
user.silenced_till = 1.year.from_now
FEATURE: blocked users can send and reply to private messages from staff
2016-01-22 12:54:18 -05:00
user.save
end
it "returns true if target is staff" do
expect(Guardian.new(user).can_send_private_message?(admin)).to be_truthy
expect(Guardian.new(user).can_send_private_message?(moderator)).to be_truthy
end
it "returns false if target is not staff" do
expect(Guardian.new(user).can_send_private_message?(another_user)).to be_falsey
end
FIX: error when sending a private message to a group in some cases
2016-03-23 16:20:24 -04:00
it "returns true if target is a staff group" do
Group::STAFF_GROUPS.each do |name|
g = Group[name]
SECURITY: Any group can be invited into a PM.
2017-12-13 21:53:21 -05:00
g.update!(messageable_level: Group::ALIAS_LEVELS[:everyone])
FIX: error when sending a private message to a group in some cases
2016-03-23 16:20:24 -04:00
expect(Guardian.new(user).can_send_private_message?(g)).to be_truthy
end
end
FEATURE: blocked users can send and reply to private messages from staff
2016-01-22 12:54:18 -05:00
end
FEATURE: Allow users to disable new PMs. https://meta.discourse.org/t/is-it-possible-to-disable-private-messaging-for-a-specific-user/46391
2017-10-06 03:56:58 -04:00
SECURITY: Any group can be invited into a PM.
2017-12-13 21:53:21 -05:00
it "respects the group's messageable_level" do
Group::ALIAS_LEVELS.each do |level, _|
group.update!(messageable_level: Group::ALIAS_LEVELS[level])
FIX: staff should not be able to PM groups that "Nobody" can message (#16163) If a group's messageable_level is set to nobody then staff can't should not be able to send PMs to it. Co-authored-by: Martin Brennan <martin@discourse.org>
2022-03-21 20:23:14 -04:00
user_output = level == :everyone ? true : false
admin_output = level != :nobody
mod_output = [:nobody, :only_admins].exclude?(level)
SECURITY: Any group can be invited into a PM.
2017-12-13 21:53:21 -05:00
FIX: staff should not be able to PM groups that "Nobody" can message (#16163) If a group's messageable_level is set to nobody then staff can't should not be able to send PMs to it. Co-authored-by: Martin Brennan <martin@discourse.org>
2022-03-21 20:23:14 -04:00
expect(Guardian.new(user).can_send_private_message?(group)).to eq(user_output)
expect(Guardian.new(admin).can_send_private_message?(group)).to eq(admin_output)
expect(Guardian.new(moderator).can_send_private_message?(group)).to eq(mod_output)
SECURITY: Any group can be invited into a PM.
2017-12-13 21:53:21 -05:00
end
end
FIX: ignore min_trust_to_send_messages when messaging groups (#8104) This means that TL0 users can message groups with "Who can message this group?" set to "Everyone". It also means that members of a group with "Who can message this group?" set to "members, moderators and admins" can also message the group, even when their trust level is below min_trust_to_send_messages.
2019-09-18 15:23:13 -04:00
it "allows TL0 to message group with messageable_level = everyone" do
group.update!(messageable_level: Group::ALIAS_LEVELS[:everyone])
expect(Guardian.new(trust_level_0).can_send_private_message?(group)).to eq(true)
expect(Guardian.new(user).can_send_private_message?(group)).to eq(true)
end
FEATURE: Add "Group owners" to posting options for groups Context: https://meta.discourse.org/t/121589 This new setting option lets group owners message/mention large groups without granting that privilege to all members.
2019-07-08 17:12:09 -04:00
it "respects the group members messageable_level" do
group.update!(messageable_level: Group::ALIAS_LEVELS[:members_mods_and_admins])
expect(Guardian.new(user).can_send_private_message?(group)).to eq(false)
group.add(user)
expect(Guardian.new(user).can_send_private_message?(group)).to eq(true)
FIX: ignore min_trust_to_send_messages when messaging groups (#8104) This means that TL0 users can message groups with "Who can message this group?" set to "Everyone". It also means that members of a group with "Who can message this group?" set to "members, moderators and admins" can also message the group, even when their trust level is below min_trust_to_send_messages.
2019-09-18 15:23:13 -04:00
expect(Guardian.new(trust_level_0).can_send_private_message?(group)).to eq(false)
# group membership trumps min_trust_to_send_messages setting
group.add(trust_level_0)
expect(Guardian.new(trust_level_0).can_send_private_message?(group)).to eq(true)
FEATURE: Add "Group owners" to posting options for groups Context: https://meta.discourse.org/t/121589 This new setting option lets group owners message/mention large groups without granting that privilege to all members.
2019-07-08 17:12:09 -04:00
end
it "respects the group owners messageable_level" do
group.update!(messageable_level: Group::ALIAS_LEVELS[:owners_mods_and_admins])
expect(Guardian.new(user).can_send_private_message?(group)).to eq(false)
group.add(user)
expect(Guardian.new(user).can_send_private_message?(group)).to eq(false)
group.add_owner(user)
expect(Guardian.new(user).can_send_private_message?(group)).to eq(true)
end
FEATURE: Allow users to disable new PMs. https://meta.discourse.org/t/is-it-possible-to-disable-private-messaging-for-a-specific-user/46391
2017-10-06 03:56:58 -04:00
context 'target user has private message disabled' do
before do
another_user.user_option.update!(allow_private_messages: false)
end
context 'for a normal user' do
it 'should return false' do
expect(Guardian.new(user).can_send_private_message?(another_user)).to eq(false)
end
end
context 'for a staff user' do
it 'should return true' do
[admin, moderator].each do |staff_user|
expect(Guardian.new(staff_user).can_send_private_message?(another_user))
.to eq(true)
end
end
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
describe 'can_reply_as_new_topic' do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:topic) { Fabricate(:topic) }
fab!(:private_message) { Fabricate(:private_message_topic) }
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it "returns false for a non logged in user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_reply_as_new_topic?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns false for a nil topic" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_reply_as_new_topic?(nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns false for an untrusted user" do
Internal renaming of elder,leader,regular,basic to numbers Changed internals so trust levels are referred to with TrustLevel[1], TrustLevel[2] etc. This gives us much better flexibility naming trust levels, these names are meant to be controlled by various communities.
2014-09-05 01:20:39 -04:00
user.trust_level = TrustLevel[0]
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_reply_as_new_topic?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns true for a trusted user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_reply_as_new_topic?(topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: reply as new message to the same recipients
2016-11-29 12:59:42 -05:00
it "returns true for a private message" do
expect(Guardian.new(user).can_reply_as_new_topic?(private_message)).to be_truthy
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
describe 'can_see_post_actors?' do
let(:topic) { Fabricate(:topic, user: coding_horror) }
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
it 'displays visibility correctly' do
guardian = Guardian.new(user)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(guardian.can_see_post_actors?(nil, PostActionType.types[:like])).to be_falsey
expect(guardian.can_see_post_actors?(topic, PostActionType.types[:like])).to be_truthy
expect(guardian.can_see_post_actors?(topic, PostActionType.types[:bookmark])).to be_falsey
expect(guardian.can_see_post_actors?(topic, PostActionType.types[:off_topic])).to be_falsey
expect(guardian.can_see_post_actors?(topic, PostActionType.types[:spam])).to be_falsey
FIX: should not be allowed to see users list of people who started a PM
2016-10-19 02:36:35 -04:00
expect(guardian.can_see_post_actors?(topic, PostActionType.types[:notify_user])).to be_falsey
expect(Guardian.new(moderator).can_see_post_actors?(topic, PostActionType.types[:notify_user])).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
describe 'can_impersonate?' do
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
it 'allows impersonation correctly' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_impersonate?(nil)).to be_falsey
expect(Guardian.new.can_impersonate?(user)).to be_falsey
expect(Guardian.new(coding_horror).can_impersonate?(user)).to be_falsey
expect(Guardian.new(admin).can_impersonate?(admin)).to be_falsey
expect(Guardian.new(admin).can_impersonate?(another_admin)).to be_falsey
expect(Guardian.new(admin).can_impersonate?(user)).to be_truthy
expect(Guardian.new(admin).can_impersonate?(moderator)).to be_truthy
give god rights of impersonation to developers, must be edited into the production.rb config file
2013-09-04 20:27:34 -04:00
Rails.configuration.stubs(:developer_emails).returns([admin.email])
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_impersonate?(another_admin)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
FEATURE: add a button on admin user page that links to action log
2017-02-21 07:45:30 -05:00
describe "can_view_action_logs?" do
it 'is false for non-staff acting user' do
expect(Guardian.new(user).can_view_action_logs?(moderator)).to be_falsey
end
it 'is false without a target user' do
expect(Guardian.new(moderator).can_view_action_logs?(nil)).to be_falsey
end
FIX: show all staff events related to the target user
2017-02-22 03:01:40 -05:00
it 'is true when target user is present' do
expect(Guardian.new(moderator).can_view_action_logs?(user)).to be_truthy
FEATURE: add a button on admin user page that links to action log
2017-02-21 07:45:30 -05:00
end
end
Support for inviting to a forum from a user's invite page.
2013-11-06 12:56:26 -05:00
describe 'can_invite_to_forum?' do
let(:user) { Fabricate.build(:user) }
let(:moderator) { Fabricate.build(:moderator) }
FIX: invite users with sufficient trust level
2020-10-21 05:09:44 -04:00
it 'returns true if user has sufficient trust level' do
SiteSetting.min_trust_level_to_allow_invite = 2
expect(Guardian.new(trust_level_2).can_invite_to_forum?).to be_truthy
expect(Guardian.new(moderator).can_invite_to_forum?).to be_truthy
end
it 'returns false if user trust level does not have sufficient trust level' do
SiteSetting.min_trust_level_to_allow_invite = 2
expect(Guardian.new(trust_level_1).can_invite_to_forum?).to be_falsey
end
Support for inviting to a forum from a user's invite page.
2013-11-06 12:56:26 -05:00
it "doesn't allow anonymous users to invite" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_invite_to_forum?).to be_falsey
Support for inviting to a forum from a user's invite page.
2013-11-06 12:56:26 -05:00
end
FIX: Allow invites if must_approve_users is true (#15043) This was implemented in 36e0e6a, but then regressed when the guardian for invites was refactored in 76a7b75.
2021-11-22 07:04:35 -05:00
it 'returns true when the site requires approving users' do
FIX: Group owners should be able to invite users to their groups. https://meta.discourse.org/t/group-owner-cannot-send-an-invite-to-a-group/60617/12
2017-07-21 02:12:24 -04:00
SiteSetting.must_approve_users = true
FIX: Allow invites if must_approve_users is true (#15043) This was implemented in 36e0e6a, but then regressed when the guardian for invites was refactored in 76a7b75.
2021-11-22 07:04:35 -05:00
expect(Guardian.new(trust_level_2).can_invite_to_forum?).to be_truthy
Support for inviting to a forum from a user's invite page.
2013-11-06 12:56:26 -05:00
end
FEATURE: disable invites by setting max_invites_per_day to 0
2015-05-19 02:51:21 -04:00
it 'returns false when max_invites_per_day is 0' do
# let's also break it while here
SiteSetting.max_invites_per_day = "a"
FIX: staff should be immune to max_invites_per_day setting
2015-06-05 00:52:41 -04:00
expect(Guardian.new(user).can_invite_to_forum?).to be_falsey
# staff should be immune to max_invites_per_day setting
expect(Guardian.new(moderator).can_invite_to_forum?).to be_truthy
FEATURE: disable invites by setting max_invites_per_day to 0
2015-05-19 02:51:21 -04:00
end
FIX: Group owners should be able to invite users to their groups. https://meta.discourse.org/t/group-owner-cannot-send-an-invite-to-a-group/60617/12
2017-07-21 02:12:24 -04:00
context 'with groups' do
let(:groups) { [group, another_group] }
before do
user.update!(trust_level: TrustLevel[2])
group.add_owner(user)
end
it 'returns false when user is not allowed to edit a group' do
expect(Guardian.new(user).can_invite_to_forum?(groups)).to eq(false)
Use prefabricated admin instead of creating new ones
2019-05-06 06:14:35 -04:00
expect(Guardian.new(admin).can_invite_to_forum?(groups))
FIX: Group owners should be able to invite users to their groups. https://meta.discourse.org/t/group-owner-cannot-send-an-invite-to-a-group/60617/12
2017-07-21 02:12:24 -04:00
.to eq(true)
end
it 'returns true when user is allowed to edit groups' do
another_group.add_owner(user)
expect(Guardian.new(user).can_invite_to_forum?(groups)).to eq(true)
end
end
Support for inviting to a forum from a user's invite page.
2013-11-06 12:56:26 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
describe 'can_invite_to?' do
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
describe "regular topics" do
FIX: invite users with sufficient trust level
2020-10-21 05:09:44 -04:00
before do
SiteSetting.min_trust_level_to_allow_invite = 2
user.update!(trust_level: SiteSetting.min_trust_level_to_allow_invite)
end
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:category) { Fabricate(:category, read_restricted: true) }
fab!(:topic) { Fabricate(:topic) }
fab!(:private_topic) { Fabricate(:topic, category: category) }
fab!(:user) { topic.user }
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
let(:private_category) { Fabricate(:private_category, group: group) }
let(:group_private_topic) { Fabricate(:topic, category: private_category) }
let(:group_owner) { group_private_topic.user.tap { |u| group.add_owner(u) } }
it 'handles invitation correctly' do
expect(Guardian.new(nil).can_invite_to?(topic)).to be_falsey
expect(Guardian.new(moderator).can_invite_to?(nil)).to be_falsey
expect(Guardian.new(moderator).can_invite_to?(topic)).to be_truthy
FIX: Handle separately invite to topic and forum (#14562) Invite is used in two contexts, when inviting a new user to the forum and when inviting an existent user to a topic. The first case is more complex and it involves permission checks to ensure that new users can be created. In the second case, it is enough to ensure that the topic is visible for both users and that all preconditions are met. One edge case is the invite to topic via email functionality which checks for both conditions because first the user must be invited to create an account first and then to the topic. A side effect of these changes is that all site settings related to invites refer to inviting new users only now.
2021-10-11 05:19:31 -04:00
expect(Guardian.new(trust_level_1).can_invite_to?(topic)).to be_truthy
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
SiteSetting.max_invites_per_day = 0
FIX: Handle separately invite to topic and forum (#14562) Invite is used in two contexts, when inviting a new user to the forum and when inviting an existent user to a topic. The first case is more complex and it involves permission checks to ensure that new users can be created. In the second case, it is enough to ensure that the topic is visible for both users and that all preconditions are met. One edge case is the invite to topic via email functionality which checks for both conditions because first the user must be invited to create an account first and then to the topic. A side effect of these changes is that all site settings related to invites refer to inviting new users only now.
2021-10-11 05:19:31 -04:00
expect(Guardian.new(user).can_invite_to?(topic)).to be_truthy
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
# staff should be immune to max_invites_per_day setting
expect(Guardian.new(moderator).can_invite_to?(topic)).to be_truthy
end
FEATURE: disable invites by setting max_invites_per_day to 0
2015-05-19 02:51:21 -04:00
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
it 'returns false for normal user on private topic' do
expect(Guardian.new(user).can_invite_to?(private_topic)).to be_falsey
end
FIX: staff should be immune to max_invites_per_day setting
2015-06-05 00:52:41 -04:00
SECURITY: Require groups to be given when inviting to a restricted category. (#6715)
2018-12-05 10:43:07 -05:00
it 'returns false for admin on private topic' do
expect(Guardian.new(admin).can_invite_to?(private_topic)).to be(false)
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
it 'returns true for a group owner' do
DEV: Reuse can_invite_to_forum? in can_invite_to? (#14392) This commit resolves refactors can_invite_to? to use can_invite_to_forum? for checking the site-wide permissions and then perform topic specific checkups. Similarly, can_invite_to? is always used with a topic object and this is now enforced. There was another problem before when `must_approve_users` site setting was not checked when inviting users to forum, but was checked when inviting to a topic. Another minor security issue was that group owners could invite to group topics even if they did not have the minimum trust level to do it.
2021-09-29 10:40:16 -04:00
group_owner.update!(trust_level: SiteSetting.min_trust_level_to_allow_invite)
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
expect(Guardian.new(group_owner).can_invite_to?(group_private_topic)).to be_truthy
end
FIX: user should not be able to invite to PM if trust level requirment not met FIX: when personal messages are disabled let user invite to a public topic
2018-03-07 15:04:17 -05:00
it 'returns true for normal user when inviting to topic and PM disabled' do
SiteSetting.enable_personal_messages = false
expect(Guardian.new(trust_level_2).can_invite_to?(topic)).to be_truthy
end
SECURITY: Require groups to be given when inviting to a restricted category. (#6715)
2018-12-05 10:43:07 -05:00
FIX: Handle separately invite to topic and forum (#14562) Invite is used in two contexts, when inviting a new user to the forum and when inviting an existent user to a topic. The first case is more complex and it involves permission checks to ensure that new users can be created. In the second case, it is enough to ensure that the topic is visible for both users and that all preconditions are met. One edge case is the invite to topic via email functionality which checks for both conditions because first the user must be invited to create an account first and then to the topic. A side effect of these changes is that all site settings related to invites refer to inviting new users only now.
2021-10-11 05:19:31 -04:00
it 'return true for normal users even if must_approve_users' do
FIX: Various invite system fixes (#13003) * FIX: Ensure the same email cannot be invited twice When creating a new invite with a duplicated email, the old invite will be updated and returned. When updating an invite with a duplicated email address, an error will be returned. * FIX: not Ember helper does not exist * FIX: Sync can_invite_to_forum? and can_invite_to? The two methods should perform the same basic set of checks, such as check must_approve_users site setting. Ideally, one of the methods would call the other one or be merged and that will happen in the future. * FIX: Show invite to group if user is group owner
2021-05-12 06:06:39 -04:00
SiteSetting.must_approve_users = true
FIX: Handle separately invite to topic and forum (#14562) Invite is used in two contexts, when inviting a new user to the forum and when inviting an existent user to a topic. The first case is more complex and it involves permission checks to ensure that new users can be created. In the second case, it is enough to ensure that the topic is visible for both users and that all preconditions are met. One edge case is the invite to topic via email functionality which checks for both conditions because first the user must be invited to create an account first and then to the topic. A side effect of these changes is that all site settings related to invites refer to inviting new users only now.
2021-10-11 05:19:31 -04:00
expect(Guardian.new(user).can_invite_to?(topic)).to be_truthy
FIX: Various invite system fixes (#13003) * FIX: Ensure the same email cannot be invited twice When creating a new invite with a duplicated email, the old invite will be updated and returned. When updating an invite with a duplicated email address, an error will be returned. * FIX: not Ember helper does not exist * FIX: Sync can_invite_to_forum? and can_invite_to? The two methods should perform the same basic set of checks, such as check must_approve_users site setting. Ideally, one of the methods would call the other one or be merged and that will happen in the future. * FIX: Show invite to group if user is group owner
2021-05-12 06:06:39 -04:00
expect(Guardian.new(admin).can_invite_to?(topic)).to be_truthy
end
SECURITY: Require groups to be given when inviting to a restricted category. (#6715)
2018-12-05 10:43:07 -05:00
describe 'for a private category for automatic and non-automatic group' do
let(:category) do
Fabricate(:category, read_restricted: true).tap do |category|
category.groups << automatic_group
category.groups << group
end
end
let(:topic) { Fabricate(:topic, category: category) }
it 'should return true for an admin user' do
expect(Guardian.new(admin).can_invite_to?(topic)).to eq(true)
end
it 'should return true for a group owner' do
DEV: Reuse can_invite_to_forum? in can_invite_to? (#14392) This commit resolves refactors can_invite_to? to use can_invite_to_forum? for checking the site-wide permissions and then perform topic specific checkups. Similarly, can_invite_to? is always used with a topic object and this is now enforced. There was another problem before when `must_approve_users` site setting was not checked when inviting users to forum, but was checked when inviting to a topic. Another minor security issue was that group owners could invite to group topics even if they did not have the minimum trust level to do it.
2021-09-29 10:40:16 -04:00
group_owner.update!(trust_level: SiteSetting.min_trust_level_to_allow_invite)
SECURITY: Require groups to be given when inviting to a restricted category. (#6715)
2018-12-05 10:43:07 -05:00
expect(Guardian.new(group_owner).can_invite_to?(topic)).to eq(true)
end
it 'should return false for a normal user' do
expect(Guardian.new(user).can_invite_to?(topic)).to eq(false)
end
end
describe 'for a private category for automatic groups' do
let(:category) do
Removed unnecessary let
2019-05-07 04:51:32 -04:00
Fabricate(:private_category, group: automatic_group, read_restricted: true)
SECURITY: Require groups to be given when inviting to a restricted category. (#6715)
2018-12-05 10:43:07 -05:00
end
Removed unnecessary let
2019-05-07 04:51:32 -04:00
let(:group_owner) { Fabricate(:user).tap { |user| automatic_group.add_owner(user) } }
SECURITY: Require groups to be given when inviting to a restricted category. (#6715)
2018-12-05 10:43:07 -05:00
let(:topic) { Fabricate(:topic, category: category) }
it 'should return false for all type of users' do
expect(Guardian.new(admin).can_invite_to?(topic)).to eq(false)
expect(Guardian.new(group_owner).can_invite_to?(topic)).to eq(false)
expect(Guardian.new(user).can_invite_to?(topic)).to eq(false)
end
end
REFACTOR: move all conditions to guardian
2014-07-04 13:34:19 -04:00
end
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
describe "private messages" do
EDIT: specs and translation updated
2020-10-22 09:36:56 -04:00
fab!(:user) { Fabricate(:user, trust_level: TrustLevel[2]) }
FIX: invite users with sufficient trust level
2020-10-21 05:09:44 -04:00
fab!(:user) { Fabricate(:user, trust_level: SiteSetting.min_trust_level_to_allow_invite) }
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:pm) { Fabricate(:private_message_topic, user: user) }
REFACTOR: move all conditions to guardian
2014-07-04 13:34:19 -04:00
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
context "when private messages are disabled" do
it "allows an admin to invite to the pm" do
expect(Guardian.new(admin).can_invite_to?(pm)).to be_truthy
expect(Guardian.new(user).can_invite_to?(pm)).to be_truthy
end
end
context "when private messages are disabled" do
before do
rename 'enable_private_messages' to 'enable_personal_messages'
2018-01-31 01:03:12 -05:00
SiteSetting.enable_personal_messages = false
FIX: Regular users shouldn't be able to invite to PMs if disabled
2017-05-19 12:55:26 -04:00
end
it "doesn't allow a regular user to invite" do
expect(Guardian.new(admin).can_invite_to?(pm)).to be_truthy
expect(Guardian.new(user).can_invite_to?(pm)).to be_falsey
end
end
FIX: invite users with sufficient trust level
2020-10-21 05:09:44 -04:00
DEV: Correct typos and spelling mistakes (#12812) Over the years we accrued many spelling mistakes in the code base. This PR attempts to fix spelling mistakes and typos in all areas of the code that are extremely safe to change - comments - test descriptions - other low risk areas
2021-05-20 21:43:47 -04:00
context "when PM has reached the maximum number of recipients" do
FIX: don't allow inviting more than `max_allowed_message_recipients` * FIX: don't allow inviting more than `max_allowed_message_recipients` setting allows * add specs for guardian * user preferences for auto track shouldn't be applicable to PMs (it auto watches on visit) Execlude PMs from "Automatically track topics I enter..." and "When I post in a topic, set that topic to..." user preferences * groups take only 1 slot in PM * just return if topic is a PM
2018-08-23 00:36:49 -04:00
before do
SiteSetting.max_allowed_message_recipients = 2
end
it "doesn't allow a regular user to invite" do
expect(Guardian.new(user).can_invite_to?(pm)).to be_falsey
end
it "allows staff to invite" do
expect(Guardian.new(admin).can_invite_to?(pm)).to be_truthy
pm.grant_permission_to_user(moderator.email)
expect(Guardian.new(moderator).can_invite_to?(pm)).to be_truthy
end
end
group manager can invite members into the group from any restricted topic
2015-03-02 14:25:25 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: allow existing users to be invited to topic/message when must_approve_users is enabled
2017-02-02 12:38:25 -05:00
describe 'can_invite_via_email?' do
it 'returns true for all (tl2 and above) users when sso is disabled, local logins are enabled, user approval is not required' do
expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_truthy
expect(Guardian.new(moderator).can_invite_via_email?(topic)).to be_truthy
expect(Guardian.new(admin).can_invite_via_email?(topic)).to be_truthy
end
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
it 'returns true for all users when sso is enabled' do
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
SiteSetting.enable_discourse_connect = true
FIX: allow existing users to be invited to topic/message when must_approve_users is enabled
2017-02-02 12:38:25 -05:00
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_truthy
expect(Guardian.new(moderator).can_invite_via_email?(topic)).to be_truthy
expect(Guardian.new(admin).can_invite_via_email?(topic)).to be_truthy
FIX: allow existing users to be invited to topic/message when must_approve_users is enabled
2017-02-02 12:38:25 -05:00
end
it 'returns false for all users when local logins are disabled' do
SiteSetting.enable_local_logins = false
expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_falsey
expect(Guardian.new(moderator).can_invite_via_email?(topic)).to be_falsey
expect(Guardian.new(admin).can_invite_via_email?(topic)).to be_falsey
end
DEV: Correct typos and spelling mistakes (#12812) Over the years we accrued many spelling mistakes in the code base. This PR attempts to fix spelling mistakes and typos in all areas of the code that are extremely safe to change - comments - test descriptions - other low risk areas
2021-05-20 21:43:47 -04:00
it 'returns correct values when user approval is required' do
FIX: allow existing users to be invited to topic/message when must_approve_users is enabled
2017-02-02 12:38:25 -05:00
SiteSetting.must_approve_users = true
expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_falsey
expect(Guardian.new(moderator).can_invite_via_email?(topic)).to be_truthy
expect(Guardian.new(admin).can_invite_via_email?(topic)).to be_truthy
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
describe 'can_see?' do
it 'returns false with a nil object' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_see?(nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: staged user doesn't get notified for replies in topics they created in secured categories
2016-02-24 05:30:17 -05:00
describe 'a Category' do
it 'allows public categories' do
public_category = build(:category, read_restricted: false)
expect(Guardian.new.can_see?(public_category)).to be_truthy
end
it 'correctly handles secure categories' do
normal_user = build(:user)
staged_user = build(:user, staged: true)
admin_user = build(:user, admin: true)
secure_category = build(:category, read_restricted: true)
expect(Guardian.new(normal_user).can_see?(secure_category)).to be_falsey
expect(Guardian.new(staged_user).can_see?(secure_category)).to be_falsey
expect(Guardian.new(admin_user).can_see?(secure_category)).to be_truthy
secure_category = build(:category, read_restricted: true, email_in: "foo@bar.com")
expect(Guardian.new(normal_user).can_see?(secure_category)).to be_falsey
expect(Guardian.new(staged_user).can_see?(secure_category)).to be_falsey
expect(Guardian.new(admin_user).can_see?(secure_category)).to be_truthy
secure_category = build(:category, read_restricted: true, email_in_allow_strangers: true)
expect(Guardian.new(normal_user).can_see?(secure_category)).to be_falsey
expect(Guardian.new(staged_user).can_see?(secure_category)).to be_falsey
expect(Guardian.new(admin_user).can_see?(secure_category)).to be_truthy
secure_category = build(:category, read_restricted: true, email_in: "foo@bar.com", email_in_allow_strangers: true)
expect(Guardian.new(normal_user).can_see?(secure_category)).to be_falsey
expect(Guardian.new(staged_user).can_see?(secure_category)).to be_truthy
expect(Guardian.new(admin_user).can_see?(secure_category)).to be_truthy
end
it 'allows members of an authorized group' do
Prefabricate category
2019-05-07 04:37:42 -04:00
secure_category = plain_category
FIX: staged user doesn't get notified for replies in topics they created in secured categories
2016-02-24 05:30:17 -05:00
secure_category.set_permissions(group => :readonly)
secure_category.save
expect(Guardian.new(user).can_see?(secure_category)).to be_falsey
group.add(user)
group.save
expect(Guardian.new(user).can_see?(secure_category)).to be_truthy
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
describe 'a Topic' do
it 'allows non logged in users to view topics' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_see?(topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
it 'correctly handles groups' do
work in progress, add fidelity to category group permissions (full, create posts, readonly)
2013-07-13 21:24:16 -04:00
category = Fabricate(:category, read_restricted: true)
category.set_permissions(group => :full)
category.save
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
topic = Fabricate(:topic, category: category)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_see?(topic)).to be_falsey
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
group.add(user)
group.save
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_see?(topic)).to be_truthy
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
end
FIX: moderators can't see private topics that they aren't invited to see.
2014-05-12 15:26:36 -04:00
FEATURE: Hide deleted posts by default for staff
2014-07-15 17:02:43 -04:00
it "restricts deleted topics" do
topic = Fabricate(:topic)
topic.trash!(moderator)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(build(:user)).can_see?(topic)).to be_falsey
expect(Guardian.new(moderator).can_see?(topic)).to be_truthy
expect(Guardian.new(admin).can_see?(topic)).to be_truthy
FEATURE: Hide deleted posts by default for staff
2014-07-15 17:02:43 -04:00
end
FIX: moderators can't see private topics that they aren't invited to see.
2014-05-12 15:26:36 -04:00
it "restricts private topics" do
user.save!
private_topic = Fabricate(:private_message_topic, user: user)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(private_topic.user).can_see?(private_topic)).to be_truthy
expect(Guardian.new(build(:user)).can_see?(private_topic)).to be_falsey
expect(Guardian.new(moderator).can_see?(private_topic)).to be_falsey
expect(Guardian.new(admin).can_see?(private_topic)).to be_truthy
FIX: moderators can't see private topics that they aren't invited to see.
2014-05-12 15:26:36 -04:00
end
FEATURE: Hide deleted posts by default for staff
2014-07-15 17:02:43 -04:00
it "restricts private deleted topics" do
user.save!
private_topic = Fabricate(:private_message_topic, user: user)
private_topic.trash!(admin)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(private_topic.user).can_see?(private_topic)).to be_falsey
expect(Guardian.new(build(:user)).can_see?(private_topic)).to be_falsey
expect(Guardian.new(moderator).can_see?(private_topic)).to be_falsey
expect(Guardian.new(admin).can_see?(private_topic)).to be_truthy
FEATURE: Hide deleted posts by default for staff
2014-07-15 17:02:43 -04:00
end
FIX: only admin can edit faq, tos, and privacy policy
2014-07-29 10:40:02 -04:00
it "restricts static doc topics" do
tos_topic = Fabricate(:topic, user: Discourse.system_user)
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.tos_topic_id = tos_topic.id
FIX: only admin can edit faq, tos, and privacy policy
2014-07-29 10:40:02 -04:00
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(build(:user)).can_edit?(tos_topic)).to be_falsey
expect(Guardian.new(moderator).can_edit?(tos_topic)).to be_falsey
expect(Guardian.new(admin).can_edit?(tos_topic)).to be_truthy
FIX: only admin can edit faq, tos, and privacy policy
2014-07-29 10:40:02 -04:00
end
FEATURE: allow moderators to see flagged private messages
2015-02-16 07:03:04 -05:00
it "allows moderators to see a flagged private message" do
moderator.save!
user.save!
private_topic = Fabricate(:private_message_topic, user: user)
first_post = Fabricate(:post, topic: private_topic, user: user)
expect(Guardian.new(moderator).can_see?(private_topic)).to be_falsey
FEATURE: New 'Reviewable' model to make reviewable items generic Includes support for flags, reviewable users and queued posts, with REST API backwards compatibility. Co-Authored-By: romanrizzi <romanalejandro@gmail.com> Co-Authored-By: jjaffeux <j.jaffeux@gmail.com>
2019-01-03 12:03:01 -05:00
PostActionCreator.create(user, first_post, :off_topic)
FEATURE: allow moderators to see flagged private messages
2015-02-16 07:03:04 -05:00
expect(Guardian.new(moderator).can_see?(private_topic)).to be_truthy
end
FIX: Ensure topic exists before making a banner. (#7781)
2019-06-25 06:49:29 -04:00
it "allows staff to set banner topics" do
topic = Fabricate(:topic)
expect(Guardian.new(admin).can_banner_topic?(nil)).to be_falsey
expect(Guardian.new(admin).can_banner_topic?(topic)).to be_truthy
end
FEATURE: Allow category group moderators to delete topics (#11069) * FEATURE - allow category group moderators to delete topics * Allow individual posts to be deleted * DEV - refactor for new `can_moderate_topic?` method
2020-11-05 12:18:26 -05:00
it 'respects category group moderator settings' do
group_user = Fabricate(:group_user)
user_gm = group_user.user
group = group_user.group
SiteSetting.enable_category_group_moderation = true
topic = Fabricate(:topic)
expect(Guardian.new(user_gm).can_see?(topic)).to be_truthy
topic.trash!(admin)
topic.reload
expect(Guardian.new(user_gm).can_see?(topic)).to be_falsey
topic.category.update!(reviewable_by_group_id: group.id, topic_id: post.topic.id)
expect(Guardian.new(user_gm).can_see?(topic)).to be_truthy
end
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
end
describe 'a Post' do
FEATURE: Allow category group moderators to delete topics (#11069) * FEATURE - allow category group moderators to delete topics * Allow individual posts to be deleted * DEV - refactor for new `can_moderate_topic?` method
2020-11-05 12:18:26 -05:00
fab!(:post) { Fabricate(:post) }
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:another_admin) { Fabricate(:admin) }
FEATURE: Allow category group moderators to delete topics (#11069) * FEATURE - allow category group moderators to delete topics * Allow individual posts to be deleted * DEV - refactor for new `can_moderate_topic?` method
2020-11-05 12:18:26 -05:00
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
it 'correctly handles post visibility' do
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
topic = post.topic
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_see?(post)).to be_truthy
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
Add `deleted_by` to `Trashable` tables
2013-07-09 15:20:18 -04:00
post.trash!(another_admin)
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
post.reload
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_see?(post)).to be_falsey
expect(Guardian.new(admin).can_see?(post)).to be_truthy
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
remove acts_as_paranoid, use .trash! , .recover! and .with_deleted as needed makes upgrading to rails 4 possible
2013-05-07 00:39:01 -04:00
post.recover!
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
post.reload
Add `deleted_by` to `Trashable` tables
2013-07-09 15:20:18 -04:00
topic.trash!(another_admin)
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
topic.reload
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_see?(post)).to be_falsey
expect(Guardian.new(admin).can_see?(post)).to be_truthy
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
end
FEATURE: Whisper posts
2015-09-10 16:01:23 -04:00
FEATURE: Allow category group moderators to delete topics (#11069) * FEATURE - allow category group moderators to delete topics * Allow individual posts to be deleted * DEV - refactor for new `can_moderate_topic?` method
2020-11-05 12:18:26 -05:00
it 'respects category group moderator settings' do
group_user = Fabricate(:group_user)
user_gm = group_user.user
group = group_user.group
SiteSetting.enable_category_group_moderation = true
expect(Guardian.new(user_gm).can_see?(post)).to be_truthy
post.trash!(another_admin)
post.reload
expect(Guardian.new(user_gm).can_see?(post)).to be_falsey
post.topic.category.update!(reviewable_by_group_id: group.id, topic_id: post.topic.id)
expect(Guardian.new(user_gm).can_see?(post)).to be_truthy
end
FIX: TL4 users can see their deleted posts (#13364)
2021-06-21 12:10:02 -04:00
it 'TL4 users can see their deleted posts' do
user = Fabricate(:user, trust_level: 4)
user2 = Fabricate(:user, trust_level: 4)
post = Fabricate(:post, user: user, topic: Fabricate(:post).topic)
expect(Guardian.new(user).can_see?(post)).to eq(true)
PostDestroyer.new(user, post).destroy
expect(Guardian.new(user).can_see?(post)).to eq(true)
expect(Guardian.new(user2).can_see?(post)).to eq(false)
end
FEATURE: Whisper posts
2015-09-10 16:01:23 -04:00
it 'respects whispers' do
FEATURE: Allow category group moderators to delete topics (#11069) * FEATURE - allow category group moderators to delete topics * Allow individual posts to be deleted * DEV - refactor for new `can_moderate_topic?` method
2020-11-05 12:18:26 -05:00
regular_post = post
FEATURE: Whisper posts
2015-09-10 16:01:23 -04:00
whisper_post = Fabricate.build(:post, post_type: Post.types[:whisper])
anon_guardian = Guardian.new
expect(anon_guardian.can_see?(regular_post)).to eq(true)
expect(anon_guardian.can_see?(whisper_post)).to eq(false)
regular_user = Fabricate.build(:user)
regular_guardian = Guardian.new(regular_user)
expect(regular_guardian.can_see?(regular_post)).to eq(true)
expect(regular_guardian.can_see?(whisper_post)).to eq(false)
# can see your own whispers
regular_whisper = Fabricate.build(:post, post_type: Post.types[:whisper], user: regular_user)
expect(regular_guardian.can_see?(regular_whisper)).to eq(true)
mod_guardian = Guardian.new(Fabricate.build(:moderator))
expect(mod_guardian.can_see?(regular_post)).to eq(true)
expect(mod_guardian.can_see?(whisper_post)).to eq(true)
admin_guardian = Guardian.new(Fabricate.build(:admin))
expect(admin_guardian.can_see?(regular_post)).to eq(true)
expect(admin_guardian.can_see?(whisper_post)).to eq(true)
end
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
end
describe 'a PostRevision' do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:post_revision) { Fabricate(:post_revision) }
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
context 'edit_history_visible_to_public is true' do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
before { SiteSetting.edit_history_visible_to_public = true }
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
it 'is false for nil' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_see?(nil)).to be_falsey
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
end
it 'is true if not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_see?(post_revision)).to be_truthy
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
end
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
it 'is true when logged in' do
PERF: Make tests faster by prefabricating more things (#15370)
2021-12-20 13:59:10 -05:00
expect(Guardian.new(user).can_see?(post_revision)).to be_truthy
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
end
end
backend for secure categories mostly done (todo pm groups)
2013-04-29 02:33:24 -04:00
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
context 'edit_history_visible_to_public is false' do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
before { SiteSetting.edit_history_visible_to_public = false }
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
it 'is true for staff' do
Use prefabricated admin instead of creating new ones
2019-05-06 06:14:35 -04:00
expect(Guardian.new(admin).can_see?(post_revision)).to be_truthy
Reuse prefabricated moderator instead of creating new ones
2019-05-06 06:13:39 -04:00
expect(Guardian.new(moderator).can_see?(post_revision)).to be_truthy
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
end
FIX: Hide the post history for TL4 (#10065)
2020-06-18 06:27:51 -04:00
it 'is false for trust level equal or lower than 4' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(trust_level_3).can_see?(post_revision)).to be_falsey
FIX: Hide the post history for TL4 (#10065)
2020-06-18 06:27:51 -04:00
expect(Guardian.new(trust_level_4).can_see?(post_revision)).to be_falsey
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
describe 'can_create?' do
describe 'a Category' do
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_create?(Category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns false when a regular user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_create?(Category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
SECURITY: reduce moderator rights You can now hide particular categories from certain moderators
2014-02-06 22:11:52 -05:00
it 'returns false when a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_create?(Category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when an admin' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_create?(Category)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
Finalize read only and post only categories, finished off UI work
2013-07-16 01:44:07 -04:00
describe 'a Topic' do
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 01:59:38 -04:00
it 'does not allow moderators to create topics in readonly categories' do
Prefabricate category
2019-05-07 04:37:42 -04:00
category = plain_category
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 01:59:38 -04:00
category.set_permissions(everyone: :read)
category.save
expect(Guardian.new(moderator).can_create?(Topic, category)).to be_falsey
end
Finalize read only and post only categories, finished off UI work
2013-07-16 01:44:07 -04:00
it 'should check for full permissions' do
Prefabricate category
2019-05-07 04:37:42 -04:00
category = plain_category
Finalize read only and post only categories, finished off UI work
2013-07-16 01:44:07 -04:00
category.set_permissions(everyone: :create_post)
category.save
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_create?(Topic, category)).to be_falsey
Finalize read only and post only categories, finished off UI work
2013-07-16 01:44:07 -04:00
end
Add min_trust_to_create_topic setting to require a certain trust level before users can start new topics
2013-09-03 19:12:22 -04:00
it "is true for new users by default" do
Prefabricate category
2019-05-07 04:37:42 -04:00
expect(Guardian.new(user).can_create?(Topic, plain_category)).to be_truthy
Add min_trust_to_create_topic setting to require a certain trust level before users can start new topics
2013-09-03 19:12:22 -04:00
end
it "is false if user has not met minimum trust level" do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.min_trust_to_create_topic = 1
Prefabricate category
2019-05-07 04:37:42 -04:00
expect(Guardian.new(build(:user, trust_level: 0)).can_create?(Topic, plain_category)).to be_falsey
Add min_trust_to_create_topic setting to require a certain trust level before users can start new topics
2013-09-03 19:12:22 -04:00
end
it "is true if user has met or exceeded the minimum trust level" do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.min_trust_to_create_topic = 1
Prefabricate category
2019-05-07 04:37:42 -04:00
expect(Guardian.new(build(:user, trust_level: 1)).can_create?(Topic, plain_category)).to be_truthy
expect(Guardian.new(build(:user, trust_level: 2)).can_create?(Topic, plain_category)).to be_truthy
expect(Guardian.new(build(:admin, trust_level: 0)).can_create?(Topic, plain_category)).to be_truthy
expect(Guardian.new(build(:moderator, trust_level: 0)).can_create?(Topic, plain_category)).to be_truthy
Add min_trust_to_create_topic setting to require a certain trust level before users can start new topics
2013-09-03 19:12:22 -04:00
end
Finalize read only and post only categories, finished off UI work
2013-07-16 01:44:07 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
describe 'a Post' do
Finalize read only and post only categories, finished off UI work
2013-07-16 01:44:07 -04:00
it "is false on readonly categories" do
Prefabricate category
2019-05-07 04:37:42 -04:00
category = plain_category
Finalize read only and post only categories, finished off UI work
2013-07-16 01:44:07 -04:00
topic.category = category
category.set_permissions(everyone: :readonly)
category.save
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(topic.user).can_create?(Post, topic)).to be_falsey
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 01:59:38 -04:00
expect(Guardian.new(moderator).can_create?(Post, topic)).to be_falsey
Finalize read only and post only categories, finished off UI work
2013-07-16 01:44:07 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it "is false when not logged in" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_create?(Post, topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'is true for a regular user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(topic.user).can_create?(Post, topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "is false when you can't see the topic" do
Guardian.any_instance.expects(:can_see?).with(topic).returns(false)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(topic.user).can_create?(Post, topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
context 'closed topic' do
before do
topic.closed = true
end
it "doesn't allow new posts from regular users" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(topic.user).can_create?(Post, topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'allows editing of posts' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(topic.user).can_edit?(post)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "allows new posts from moderators" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_create?(Post, topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "allows new posts from admins" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_create?(Post, topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: Trust level 4 abilities: pin/unpin, close, archive, make invisible, split/merge topic
2014-03-17 14:50:28 -04:00
remove elder terminology in specs
2014-09-05 02:52:40 -04:00
it "allows new posts from trust_level_4s" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(trust_level_4).can_create?(Post, topic)).to be_truthy
FEATURE: Trust level 4 abilities: pin/unpin, close, archive, make invisible, split/merge topic
2014-03-17 14:50:28 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
context 'archived topic' do
before do
topic.archived = true
end
context 'regular users' do
it "doesn't allow new posts from regular users" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_create?(Post, topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: staff should be able to edit topics that have been archived
2014-08-15 12:44:58 -04:00
it 'does not allow editing of posts' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_edit?(post)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
remove trailing whitespaces :heart:
2013-02-25 11:42:20 -05:00
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it "allows new posts from moderators" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_create?(Post, topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "allows new posts from admins" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_create?(Post, topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
Staff can enter and view deleted topics
2013-07-11 16:38:46 -04:00
context "trashed topic" do
before do
topic.deleted_at = Time.now
end
it "doesn't allow new posts from regular users" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_create?(Post, topic)).to be_falsey
Staff can enter and view deleted topics
2013-07-11 16:38:46 -04:00
end
it "doesn't allow new posts from moderators users" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_create?(Post, topic)).to be_falsey
Staff can enter and view deleted topics
2013-07-11 16:38:46 -04:00
end
it "doesn't allow new posts from admins" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_create?(Post, topic)).to be_falsey
Staff can enter and view deleted topics
2013-07-11 16:38:46 -04:00
end
end
FIX: UX improvements for system messages when PMs are disabled
2018-01-23 13:11:39 -05:00
context "system message" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:private_message) {
FIX: UX improvements for system messages when PMs are disabled
2018-01-23 13:11:39 -05:00
Fabricate(
:topic,
archetype: Archetype.private_message,
subtype: 'system_message',
category_id: nil
)
}
before { user.save! }
it "allows the user to reply to system messages" do
expect(Guardian.new(user).can_create_post?(private_message)).to eq(true)
SiteSetting.enable_system_message_replies = false
expect(Guardian.new(user).can_create_post?(private_message)).to eq(false)
end
end
FEATURE: blocked users can send and reply to private messages from staff
2016-01-22 12:54:18 -05:00
context "private message" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:private_message) { Fabricate(:topic, archetype: Archetype.private_message, category_id: nil) }
Staff can enter and view deleted topics
2013-07-11 16:38:46 -04:00
FEATURE: blocked users can send and reply to private messages from staff
2016-01-22 12:54:18 -05:00
before { user.save! }
it "allows new posts by people included in the pm" do
private_message.topic_allowed_users.create!(user_id: user.id)
expect(Guardian.new(user).can_create?(Post, private_message)).to be_truthy
end
it "doesn't allow new posts by people not invited to the pm" do
expect(Guardian.new(user).can_create?(Post, private_message)).to be_falsey
end
Rename "Blocked" to "Silenced"
2017-11-10 12:18:08 -05:00
it "allows new posts from silenced users included in the pm" do
FEATURE: Support an end date for user silencing
2017-11-13 13:41:36 -05:00
user.update_attribute(:silenced_till, 1.year.from_now)
FEATURE: blocked users can send and reply to private messages from staff
2016-01-22 12:54:18 -05:00
private_message.topic_allowed_users.create!(user_id: user.id)
expect(Guardian.new(user).can_create?(Post, private_message)).to be_truthy
end
Rename "Blocked" to "Silenced"
2017-11-10 12:18:08 -05:00
it "doesn't allow new posts from silenced users not invited to the pm" do
FEATURE: Support an end date for user silencing
2017-11-13 13:41:36 -05:00
user.update_attribute(:silenced_till, 1.year.from_now)
FEATURE: blocked users can send and reply to private messages from staff
2016-01-22 12:54:18 -05:00
expect(Guardian.new(user).can_create?(Post, private_message)).to be_falsey
end
end
end # can_create? a Post
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
describe 'post_can_act?' do
it "isn't allowed on nil" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(nil, nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
describe 'a Post' do
remove trailing whitespaces :heart:
2013-02-25 11:42:20 -05:00
let (:guardian) do
Initial release of Discourse
2013-02-05 14:16:51 -05:00
Guardian.new(user)
end
it "isn't allowed when not logged in" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).post_can_act?(post, :vote)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "is allowed as a regular user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(guardian.post_can_act?(post, :vote)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "isn't allowed on archived topics" do
topic.archived = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).post_can_act?(post, :like)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
end
Can recover deleted topics. Deleted topics show the first post as deleted in the UI.
2013-07-12 12:08:23 -04:00
describe "can_recover_topic?" do
FIX: Add DB constraints for post & topic counter cache for `UserStat` (#15626) Ensures that `UserStat#post_count` and `UserStat#topic_count` does not go below 0. When it does like it did now, we tend to have bugs in our code since we're usually coding with the assumption that the count isn't negative. In order to support the constraints, our post and topic fabricators in tests will now automatically increment the count for the respective user's `UserStat` as well. We have to do this because our fabricators bypasss `PostCreator` which holds the responsibility of updating `UserStat#post_count` and `UserStat#topic_count`.
2022-02-06 22:23:34 -05:00
fab!(:topic) { Fabricate(:topic, user: user) }
fab!(:post) { Fabricate(:post, user: user, topic: topic) }
Can recover deleted topics. Deleted topics show the first post as deleted in the UI.
2013-07-12 12:08:23 -04:00
it "returns false for a nil user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_recover_topic?(topic)).to be_falsey
Can recover deleted topics. Deleted topics show the first post as deleted in the UI.
2013-07-12 12:08:23 -04:00
end
it "returns false for a nil object" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_recover_topic?(nil)).to be_falsey
Can recover deleted topics. Deleted topics show the first post as deleted in the UI.
2013-07-12 12:08:23 -04:00
end
it "returns false for a regular user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_recover_topic?(topic)).to be_falsey
Can recover deleted topics. Deleted topics show the first post as deleted in the UI.
2013-07-12 12:08:23 -04:00
end
FIX: Can't recover a post when its user has been deleted. https://meta.discourse.org/t/moving-posts-to-new-topic/58436
2017-03-06 00:17:57 -05:00
context 'as a moderator' do
describe 'when post has been deleted' do
it "should return the right value" do
expect(Guardian.new(moderator).can_recover_topic?(topic)).to be_falsey
PostDestroyer.new(moderator, topic.first_post).destroy
expect(Guardian.new(moderator).can_recover_topic?(topic.reload)).to be_truthy
end
end
describe "when post's user has been deleted" do
it 'should return the right value' do
PostDestroyer.new(moderator, topic.first_post).destroy
topic.first_post.user.destroy!
FIX: Recovered posts with no user will be taken over by system user (#8834)
2020-02-06 03:19:04 -05:00
expect(Guardian.new(moderator).can_recover_topic?(topic.reload)).to be_truthy
FIX: Can't recover a post when its user has been deleted. https://meta.discourse.org/t/moving-posts-to-new-topic/58436
2017-03-06 00:17:57 -05:00
end
end
Can recover deleted topics. Deleted topics show the first post as deleted in the UI.
2013-07-12 12:08:23 -04:00
end
FEATURE: Allow category group moderators to delete topics (#11069) * FEATURE - allow category group moderators to delete topics * Allow individual posts to be deleted * DEV - refactor for new `can_moderate_topic?` method
2020-11-05 12:18:26 -05:00
context 'category group moderation is enabled' do
fab!(:group_user) { Fabricate(:group_user) }
before do
SiteSetting.enable_category_group_moderation = true
PostDestroyer.new(moderator, topic.first_post).destroy
topic.reload
end
it "returns false if user is not a member of the appropriate group" do
expect(Guardian.new(group_user.user).can_recover_topic?(topic)).to be_falsey
end
it "returns true if user is a member of the appropriate group" do
topic.category.update!(reviewable_by_group_id: group_user.group.id)
expect(Guardian.new(group_user.user).can_recover_topic?(topic)).to be_truthy
end
end
Can recover deleted topics. Deleted topics show the first post as deleted in the UI.
2013-07-12 12:08:23 -04:00
end
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
describe "can_recover_post?" do
it "returns false for a nil user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_recover_post?(post)).to be_falsey
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
end
it "returns false for a nil object" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_recover_post?(nil)).to be_falsey
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
end
it "returns false for a regular user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_recover_post?(post)).to be_falsey
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
end
FIX: Can't recover a post when its user has been deleted. https://meta.discourse.org/t/moving-posts-to-new-topic/58436
2017-03-06 00:17:57 -05:00
context 'as a moderator' do
FIX: Add DB constraints for post & topic counter cache for `UserStat` (#15626) Ensures that `UserStat#post_count` and `UserStat#topic_count` does not go below 0. When it does like it did now, we tend to have bugs in our code since we're usually coding with the assumption that the count isn't negative. In order to support the constraints, our post and topic fabricators in tests will now automatically increment the count for the respective user's `UserStat` as well. We have to do this because our fabricators bypasss `PostCreator` which holds the responsibility of updating `UserStat#post_count` and `UserStat#topic_count`.
2022-02-06 22:23:34 -05:00
fab!(:topic) { Fabricate(:topic, user: user) }
fab!(:post) { Fabricate(:post, user: user, topic: topic) }
FIX: Can't recover a post when its user has been deleted. https://meta.discourse.org/t/moving-posts-to-new-topic/58436
2017-03-06 00:17:57 -05:00
describe 'when post has been deleted' do
it "should return the right value" do
expect(Guardian.new(moderator).can_recover_post?(post)).to be_falsey
PostDestroyer.new(moderator, post).destroy
expect(Guardian.new(moderator).can_recover_post?(post.reload)).to be_truthy
end
describe "when post's user has been deleted" do
it 'should return the right value' do
PostDestroyer.new(moderator, post).destroy
post.user.destroy!
FIX: Recovered posts with no user will be taken over by system user (#8834)
2020-02-06 03:19:04 -05:00
expect(Guardian.new(moderator).can_recover_post?(post.reload)).to be_truthy
FIX: Can't recover a post when its user has been deleted. https://meta.discourse.org/t/moving-posts-to-new-topic/58436
2017-03-06 00:17:57 -05:00
end
end
end
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
end
end
FEATURE: move a topic from PM to regular topic or vice versa
2016-05-01 07:48:43 -04:00
context 'can_convert_topic?' do
it 'returns false with a nil object' do
expect(Guardian.new(user).can_convert_topic?(nil)).to be_falsey
end
it 'returns false when not logged in' do
expect(Guardian.new.can_convert_topic?(topic)).to be_falsey
end
FEATURE: allow moderators to convert a private message to public topic or vice versa
2016-05-04 12:29:56 -04:00
it 'returns false when not staff' do
expect(Guardian.new(trust_level_4).can_convert_topic?(topic)).to be_falsey
Don't allow category definition topics to be converted to PMs (#5216)
2017-10-02 04:04:58 -04:00
end
it 'returns false for category definition topics' do
Prefabricate category
2019-05-07 04:37:42 -04:00
c = plain_category
Don't allow category definition topics to be converted to PMs (#5216)
2017-10-02 04:04:58 -04:00
topic = Topic.find_by(id: c.topic_id)
expect(Guardian.new(admin).can_convert_topic?(topic)).to be_falsey
FEATURE: allow moderators to convert a private message to public topic or vice versa
2016-05-04 12:29:56 -04:00
end
it 'returns true when a moderator' do
expect(Guardian.new(moderator).can_convert_topic?(topic)).to be_truthy
FEATURE: move a topic from PM to regular topic or vice versa
2016-05-01 07:48:43 -04:00
end
it 'returns true when an admin' do
expect(Guardian.new(admin).can_convert_topic?(topic)).to be_truthy
end
FIX: Disable "Make Personal Message" if they are disabled
2018-03-02 20:28:39 -05:00
it 'returns false when personal messages are disabled' do
SiteSetting.enable_personal_messages = false
expect(Guardian.new(admin).can_convert_topic?(topic)).to be_falsey
end
FEATURE: move a topic from PM to regular topic or vice versa
2016-05-01 07:48:43 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
describe 'can_edit?' do
it 'returns false with a nil object' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit?(nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
describe 'a Post' do
FEATURE: silenced users should not be allowed to edit posts
2018-08-15 00:29:36 -04:00
it 'returns false for silenced users' do
post.user.silenced_till = 1.day.from_now
expect(Guardian.new(post.user).can_edit?(post)).to be_falsey
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_edit?(post)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Wiki Post
2014-05-13 08:53:11 -04:00
it 'returns false when not logged in also for wiki post' do
post.wiki = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_edit?(post)).to be_falsey
Wiki Post
2014-05-13 08:53:11 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'returns true if you want to edit your own post' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(post.user).can_edit?(post)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: Staff members can lock posts Locking a post prevents it from being edited. This is useful if the user has posted something which has been edited out, and the staff members don't want them to be able to edit it back in again.
2018-01-25 15:38:40 -05:00
it 'returns false if you try to edit a locked post' do
post.locked_by_id = moderator.id
expect(Guardian.new(post.user).can_edit?(post)).to be_falsey
end
Disable editing of hidden posts within a timeframe from when the post was initially hidden.
2014-06-20 15:38:03 -04:00
it "returns false if the post is hidden due to flagging and it's too soon" do
post.hidden = true
post.hidden_at = Time.now
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(post.user).can_edit?(post)).to be_falsey
Disable editing of hidden posts within a timeframe from when the post was initially hidden.
2014-06-20 15:38:03 -04:00
end
it "returns true if the post is hidden due to flagging and it been enough time" do
post.hidden = true
post.hidden_at = (SiteSetting.cooldown_minutes_after_hiding_posts + 1).minutes.ago
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(post.user).can_edit?(post)).to be_truthy
FIX: If a post has been hidden due to flagging, don't use the absolute edit window for edit prevention.
2014-09-16 11:20:31 -04:00
end
it "returns true if the post is hidden, it's been enough time and the edit window has expired" do
post.hidden = true
post.hidden_at = (SiteSetting.cooldown_minutes_after_hiding_posts + 1).minutes.ago
post.created_at = (SiteSetting.post_edit_time_limit + 1).minutes.ago
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(post.user).can_edit?(post)).to be_truthy
Disable editing of hidden posts within a timeframe from when the post was initially hidden.
2014-06-20 15:38:03 -04:00
end
it "returns true if the post is hidden due to flagging and it's got a nil `hidden_at`" do
post.hidden = true
post.hidden_at = nil
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(post.user).can_edit?(post)).to be_truthy
Disable editing of hidden posts within a timeframe from when the post was initially hidden.
2014-06-20 15:38:03 -04:00
end
allow end user to recover a post they delete automatically delete stubs after 1 day
2013-07-22 03:48:24 -04:00
it 'returns false if you are trying to edit a post you soft deleted' do
post.user_deleted = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(post.user).can_edit?(post)).to be_falsey
allow end user to recover a post they delete automatically delete stubs after 1 day
2013-07-22 03:48:24 -04:00
end
Wiki Post
2014-05-13 08:53:11 -04:00
it 'returns false if another regular user tries to edit a soft deleted wiki post' do
post.wiki = true
post.user_deleted = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_edit?(post)).to be_falsey
Wiki Post
2014-05-13 08:53:11 -04:00
end
allow end user to recover a post they delete automatically delete stubs after 1 day
2013-07-22 03:48:24 -04:00
it 'returns false if you are trying to edit a deleted post' do
post.deleted_at = 1.day.ago
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(post.user).can_edit?(post)).to be_falsey
allow end user to recover a post they delete automatically delete stubs after 1 day
2013-07-22 03:48:24 -04:00
end
Wiki Post
2014-05-13 08:53:11 -04:00
it 'returns false if another regular user tries to edit a deleted wiki post' do
post.wiki = true
post.deleted_at = 1.day.ago
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_edit?(post)).to be_falsey
Wiki Post
2014-05-13 08:53:11 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'returns false if another regular user tries to edit your post' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_edit?(post)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Wiki Post
2014-05-13 08:53:11 -04:00
it 'returns true if another regular user tries to edit wiki post' do
post.wiki = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_edit?(post)).to be_truthy
Wiki Post
2014-05-13 08:53:11 -04:00
end
FIX: Don't let users edit wiki posts unless they can reply
2017-05-08 16:23:11 -04:00
it "returns false if a wiki but the user can't create a post" do
Prefabricate category
2019-05-07 04:37:42 -04:00
c = plain_category
FIX: Don't let users edit wiki posts unless they can reply
2017-05-08 16:23:11 -04:00
c.set_permissions(everyone: :readonly)
c.save
topic = Fabricate(:topic, category: c)
post = Fabricate(:post, topic: topic)
post.wiki = true
expect(Guardian.new(user).can_edit?(post)).to eq(false)
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'returns true as a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit?(post)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: Staff members can lock posts Locking a post prevents it from being edited. This is useful if the user has posted something which has been edited out, and the staff members don't want them to be able to edit it back in again.
2018-01-25 15:38:40 -05:00
it 'returns true as a moderator, even if locked' do
post.locked_by_id = admin.id
expect(Guardian.new(moderator).can_edit?(post)).to be_truthy
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'returns true as an admin' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit?(post)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
it 'returns true as a trust level 4 user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(trust_level_4).can_edit?(post)).to be_truthy
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
end
FEATURE: allow category group moderators to edit posts (#11005) * FEATURE: allow category group moderators to edit posts If the `enable_category_group_moderation` SiteSetting is enabled, posts should be editable by those belonging to the appropraite groups.
2020-10-23 12:37:44 -04:00
it 'returns false as a TL4 user if trusted_users_can_edit_others is false' do
New site setting `trusted_users_can_edit_others` The default is true to keep with previous discourse behavior. If disabled, high trust level users cannot edit the topics or posts of other users.
2018-02-22 20:39:24 -05:00
SiteSetting.trusted_users_can_edit_others = false
expect(Guardian.new(trust_level_4).can_edit?(post)).to eq(false)
end
FIX: Edit title respects min trust to edit post This fix ensures that the site setting `post_edit_time_limit` does not bypass the limit of the site setting `min_trust_to_edit_post`. This prevents a bug where users that did not meet the minimum trust level to edit could edit the title of topics.
2020-02-04 18:28:35 -05:00
it 'returns false when trying to edit a topic with no trust' do
SiteSetting.min_trust_to_edit_post = 2
post.user.trust_level = 1
expect(Guardian.new(topic.user).can_edit?(topic)).to be_falsey
end
FEATURE: add min_trust_level_to_edit_post add minimum trust level to edit post (default 0)
2016-09-30 12:12:27 -04:00
it 'returns false when trying to edit a post with no trust' do
SiteSetting.min_trust_to_edit_post = 2
post.user.trust_level = 1
expect(Guardian.new(post.user).can_edit?(post)).to be_falsey
end
it 'returns true when trying to edit a post with trust' do
SiteSetting.min_trust_to_edit_post = 1
post.user.trust_level = 1
expect(Guardian.new(post.user).can_edit?(post)).to be_truthy
end
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
it 'returns false when another user has too low trust level to edit wiki post' do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.min_trust_to_edit_wiki_post = 2
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
post.wiki = true
coding_horror.trust_level = 1
expect(Guardian.new(coding_horror).can_edit?(post)).to be_falsey
end
it 'returns true when another user has adequate trust level to edit wiki post' do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.min_trust_to_edit_wiki_post = 2
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
post.wiki = true
coding_horror.trust_level = 2
expect(Guardian.new(coding_horror).can_edit?(post)).to be_truthy
end
it 'returns true for post author even when he has too low trust level to edit wiki post' do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.min_trust_to_edit_wiki_post = 2
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
post.wiki = true
post.user.trust_level = 1
expect(Guardian.new(post.user).can_edit?(post)).to be_truthy
end
FEATURE: Category setting to allow unlimited first post edits by the owner of the topic (#12690) This PR adds a new category setting which is a column in the `categories` table, `allow_unlimited_owner_edits_on_first_post`. What this does is: * Inside the `can_edit_post?` method of `PostGuardian`, if the current user editing a post is the owner of the post, it is the first post, and the topic's category has `allow_unlimited_owner_edits_on_first_post`, then we bypass the check for `LimitedEdit#edit_time_limit_expired?` on that post. * Also, similar to wiki topics, in `PostActionNotifier#after_create_post_revision` we send a notification to all users watching a topic when the OP is edited in a topic with the category setting `allow_unlimited_owner_edits_on_first_post` enabled. This is useful for forums where there is a Marketplace or similar category, where topics are created and then updated indefinitely by the OP rather than the OP making new topics or additional replies. In a way this acts similar to a wiki that only one person can edit.
2021-04-14 01:54:09 -04:00
context "shared drafts" do
fab!(:category) { Fabricate(:category) }
let(:topic) { Fabricate(:topic, category: category) }
let(:post_with_draft) { Fabricate(:post, topic: topic) }
before do
SiteSetting.shared_drafts_category = category.id
SiteSetting.shared_drafts_min_trust_level = '2'
Fabricate(:shared_draft, topic: topic)
end
it 'returns true if a shared draft exists' do
expect(Guardian.new(trust_level_2).can_edit_post?(post_with_draft)).to eq(true)
end
it 'returns false if the user has a lower trust level' do
expect(Guardian.new(trust_level_1).can_edit_post?(post_with_draft)).to eq(false)
end
it 'returns false if the draft is from a different category' do
topic.update!(category: Fabricate(:category))
expect(Guardian.new(trust_level_2).can_edit_post?(post_with_draft)).to eq(false)
end
end
FEATURE: allow category group moderators to edit posts (#11005) * FEATURE: allow category group moderators to edit posts If the `enable_category_group_moderation` SiteSetting is enabled, posts should be editable by those belonging to the appropraite groups.
2020-10-23 12:37:44 -04:00
context 'category group moderation is enabled' do
fab!(:cat_mod_user) { Fabricate(:user) }
before do
SiteSetting.enable_category_group_moderation = true
GroupUser.create!(group_id: group.id, user_id: cat_mod_user.id)
post.topic.category.update!(reviewable_by_group_id: group.id)
end
it 'returns true as a category group moderator user' do
expect(Guardian.new(cat_mod_user).can_edit?(post)).to eq(true)
end
it 'returns false for a regular user' do
expect(Guardian.new(another_user).can_edit?(post)).to eq(false)
end
end
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
describe 'post edit time limits' do
FEATURE: Category setting to allow unlimited first post edits by the owner of the topic (#12690) This PR adds a new category setting which is a column in the `categories` table, `allow_unlimited_owner_edits_on_first_post`. What this does is: * Inside the `can_edit_post?` method of `PostGuardian`, if the current user editing a post is the owner of the post, it is the first post, and the topic's category has `allow_unlimited_owner_edits_on_first_post`, then we bypass the check for `LimitedEdit#edit_time_limit_expired?` on that post. * Also, similar to wiki topics, in `PostActionNotifier#after_create_post_revision` we send a notification to all users watching a topic when the OP is edited in a topic with the category setting `allow_unlimited_owner_edits_on_first_post` enabled. This is useful for forums where there is a Marketplace or similar category, where topics are created and then updated indefinitely by the OP rather than the OP making new topics or additional replies. In a way this acts similar to a wiki that only one person can edit.
2021-04-14 01:54:09 -04:00
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
context 'post is older than post_edit_time_limit' do
FEATURE: Category setting to allow unlimited first post edits by the owner of the topic (#12690) This PR adds a new category setting which is a column in the `categories` table, `allow_unlimited_owner_edits_on_first_post`. What this does is: * Inside the `can_edit_post?` method of `PostGuardian`, if the current user editing a post is the owner of the post, it is the first post, and the topic's category has `allow_unlimited_owner_edits_on_first_post`, then we bypass the check for `LimitedEdit#edit_time_limit_expired?` on that post. * Also, similar to wiki topics, in `PostActionNotifier#after_create_post_revision` we send a notification to all users watching a topic when the OP is edited in a topic with the category setting `allow_unlimited_owner_edits_on_first_post` enabled. This is useful for forums where there is a Marketplace or similar category, where topics are created and then updated indefinitely by the OP rather than the OP making new topics or additional replies. In a way this acts similar to a wiki that only one person can edit.
2021-04-14 01:54:09 -04:00
let(:topic) { Fabricate(:topic) }
let(:old_post) { Fabricate(:post, topic: topic, user: topic.user, created_at: 6.minutes.ago) }
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
before do
topic.user.update_columns(trust_level: 1)
SiteSetting.post_edit_time_limit = 5
end
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
it 'returns false to the author of the post' do
expect(Guardian.new(old_post.user).can_edit?(old_post)).to be_falsey
end
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
it 'returns true as a moderator' do
expect(Guardian.new(moderator).can_edit?(old_post)).to eq(true)
end
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
it 'returns true as an admin' do
expect(Guardian.new(admin).can_edit?(old_post)).to eq(true)
end
it 'returns false for another regular user trying to edit your post' do
expect(Guardian.new(coding_horror).can_edit?(old_post)).to be_falsey
end
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
it 'returns true for another regular user trying to edit a wiki post' do
old_post.wiki = true
expect(Guardian.new(coding_horror).can_edit?(old_post)).to be_truthy
end
FEATURE: Category setting to allow unlimited first post edits by the owner of the topic (#12690) This PR adds a new category setting which is a column in the `categories` table, `allow_unlimited_owner_edits_on_first_post`. What this does is: * Inside the `can_edit_post?` method of `PostGuardian`, if the current user editing a post is the owner of the post, it is the first post, and the topic's category has `allow_unlimited_owner_edits_on_first_post`, then we bypass the check for `LimitedEdit#edit_time_limit_expired?` on that post. * Also, similar to wiki topics, in `PostActionNotifier#after_create_post_revision` we send a notification to all users watching a topic when the OP is edited in a topic with the category setting `allow_unlimited_owner_edits_on_first_post` enabled. This is useful for forums where there is a Marketplace or similar category, where topics are created and then updated indefinitely by the OP rather than the OP making new topics or additional replies. In a way this acts similar to a wiki that only one person can edit.
2021-04-14 01:54:09 -04:00
context "unlimited owner edits on first post" do
let(:owner) { old_post.user }
it "returns true when the post topic's category allow_unlimited_owner_edits_on_first_post" do
old_post.topic.category.update(allow_unlimited_owner_edits_on_first_post: true)
expect(Guardian.new(owner).can_edit?(old_post)).to be_truthy
end
it "returns false when the post topic's category does not allow_unlimited_owner_edits_on_first_post" do
old_post.topic.category.update(allow_unlimited_owner_edits_on_first_post: false)
expect(Guardian.new(owner).can_edit?(old_post)).to be_falsey
end
it "returns false when the post topic's category allow_unlimited_owner_edits_on_first_post but the post is not the first in the topic" do
old_post.topic.category.update(allow_unlimited_owner_edits_on_first_post: true)
new_post = Fabricate(:post, user: owner, topic: old_post.topic, created_at: 6.minutes.ago)
expect(Guardian.new(owner).can_edit?(new_post)).to be_falsey
end
it "returns false when someone other than owner is editing and category allow_unlimited_owner_edits_on_first_post" do
old_post.topic.category.update(allow_unlimited_owner_edits_on_first_post: false)
expect(Guardian.new(coding_horror).can_edit?(old_post)).to be_falsey
end
end
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
end
Wiki Post
2014-05-13 08:53:11 -04:00
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
context 'post is older than tl2_post_edit_time_limit' do
let(:old_post) { build(:post, topic: topic, user: topic.user, created_at: 12.minutes.ago) }
before do
topic.user.update_columns(trust_level: 2)
SiteSetting.tl2_post_edit_time_limit = 10
end
it 'returns false to the author of the post' do
expect(Guardian.new(old_post.user).can_edit?(old_post)).to be_falsey
end
it 'returns true as a moderator' do
expect(Guardian.new(moderator).can_edit?(old_post)).to eq(true)
end
it 'returns true as an admin' do
expect(Guardian.new(admin).can_edit?(old_post)).to eq(true)
end
it 'returns false for another regular user trying to edit your post' do
expect(Guardian.new(coding_horror).can_edit?(old_post)).to be_falsey
end
it 'returns true for another regular user trying to edit a wiki post' do
old_post.wiki = true
expect(Guardian.new(coding_horror).can_edit?(old_post)).to be_truthy
end
Wiki Post
2014-05-13 08:53:11 -04:00
end
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
end
FIX: only admin can edit faq, tos, and privacy policy
2014-07-29 10:40:02 -04:00
context "first post of a static page doc" do
let!(:tos_topic) { Fabricate(:topic, user: Discourse.system_user) }
let!(:tos_first_post) { build(:post, topic: tos_topic, user: tos_topic.user) }
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
before { SiteSetting.tos_topic_id = tos_topic.id }
FIX: only admin can edit faq, tos, and privacy policy
2014-07-29 10:40:02 -04:00
it "restricts static doc posts" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(build(:user)).can_edit?(tos_first_post)).to be_falsey
expect(Guardian.new(moderator).can_edit?(tos_first_post)).to be_falsey
expect(Guardian.new(admin).can_edit?(tos_first_post)).to be_truthy
FIX: only admin can edit faq, tos, and privacy policy
2014-07-29 10:40:02 -04:00
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
describe 'a Topic' do
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_edit?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true for editing your own post' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(topic.user).can_edit?(topic)).to eq(true)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns false as a regular user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_edit?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: Respect the cooldown window when editing a flagged topic. (#16046) When staff decides to hide a flagged post, and it's the first post on the topic, the post owner shouldn't be able to edit either of them until the cooldown finishes. Edit either of them automatically, unhides the post, and makes the topic visible when there's a flag involved. Reported on meta: https://meta.discourse.org/t/users-can-edit-flagged-topic-title-when-they-should-not-be-able-to/217796
2022-02-25 09:09:31 -05:00
context 'first post is hidden' do
let!(:topic) { Fabricate(:topic, user: user) }
let!(:post) { Fabricate(:post, topic: topic, user: topic.user, hidden: true, hidden_at: Time.zone.now) }
it 'returns false for editing your own post while inside the cooldown window' do
SiteSetting.cooldown_minutes_after_hiding_posts = 30
expect(Guardian.new(topic.user).can_edit?(topic)).to eq(false)
end
end
FIX: Don't allow users to edit topic information when the OP is locked see: https://meta.discourse.org/t/user-able-to-edit-title-of-locked-post/104826
2019-06-18 14:22:38 -04:00
context "locked" do
let(:post) { Fabricate(:post, locked_by_id: admin.id) }
let(:topic) { post.topic }
it "doesn't allow users to edit locked topics" do
expect(Guardian.new(topic.user).can_edit?(topic)).to eq(false)
expect(Guardian.new(admin).can_edit?(topic)).to eq(true)
end
end
Don't allow editing of title and category of an archived topic
2013-07-09 16:48:26 -04:00
context 'not archived' do
it 'returns true as a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit?(topic)).to eq(true)
Don't allow editing of title and category of an archived topic
2013-07-09 16:48:26 -04:00
end
it 'returns true as an admin' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit?(topic)).to eq(true)
Trust level 3 users can edit topic titles and change category
2014-01-16 11:59:26 -05:00
end
it 'returns true at trust level 3' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(true)
Don't allow editing of title and category of an archived topic
2013-07-09 16:48:26 -04:00
end
FIX: Permission issues when editing topics If a user can't create a topic in a category, they should'be be able to edit topics.
2015-04-30 17:03:51 -04:00
New site setting `trusted_users_can_edit_others` The default is true to keep with previous discourse behavior. If disabled, high trust level users cannot edit the topics or posts of other users.
2018-02-22 20:39:24 -05:00
it 'is false at TL3, if `trusted_users_can_edit_others` is false' do
SiteSetting.trusted_users_can_edit_others = false
expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false)
end
FIX: Permission issues when editing topics If a user can't create a topic in a category, they should'be be able to edit topics.
2015-04-30 17:03:51 -04:00
it "returns false when the category is read only" do
topic.category.set_permissions(everyone: :readonly)
topic.category.save
expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false)
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 01:59:38 -04:00
expect(Guardian.new(admin).can_edit?(topic)).to eq(true)
expect(Guardian.new(moderator).can_edit?(post)).to eq(false)
expect(Guardian.new(moderator).can_edit?(topic)).to eq(false)
FIX: Permission issues when editing topics If a user can't create a topic in a category, they should'be be able to edit topics.
2015-04-30 17:03:51 -04:00
end
FIX: trust level 3 should not be able to edit topics in categories that restrict them from doing so
2016-06-01 15:41:56 -04:00
it "returns false for trust level 3 if category is secured" do
topic.category.set_permissions(everyone: :create_post, staff: :full)
topic.category.save
expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false)
expect(Guardian.new(admin).can_edit?(topic)).to eq(true)
expect(Guardian.new(moderator).can_edit?(topic)).to eq(true)
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: PM should never be allowed to have a category FIX: TL3 should not be allowed to muck with PM titles
2014-09-11 03:39:20 -04:00
context 'private message' do
it 'returns false at trust level 3' do
topic.archetype = 'private_message'
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false)
FIX: PM should never be allowed to have a category FIX: TL3 should not be allowed to muck with PM titles
2014-09-11 03:39:20 -04:00
end
FIX: TL3 users should not be able to edit title of archived topics
2016-01-28 14:05:56 -05:00
it 'returns false at trust level 4' do
topic.archetype = 'private_message'
expect(Guardian.new(trust_level_4).can_edit?(topic)).to eq(false)
end
FIX: PM should never be allowed to have a category FIX: TL3 should not be allowed to muck with PM titles
2014-09-11 03:39:20 -04:00
end
Don't allow editing of title and category of an archived topic
2013-07-09 16:48:26 -04:00
context 'archived' do
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
let(:archived_topic) { build(:topic, user: user, archived: true) }
it 'returns true as a moderator' do
expect(Guardian.new(moderator).can_edit?(archived_topic)).to be_truthy
end
it 'returns true as an admin' do
expect(Guardian.new(admin).can_edit?(archived_topic)).to be_truthy
end
FIX: TL3 users should not be able to edit title of archived topics
2016-01-28 14:05:56 -05:00
it 'returns true at trust level 4' do
expect(Guardian.new(trust_level_4).can_edit?(archived_topic)).to be_truthy
end
New site setting `trusted_users_can_edit_others` The default is true to keep with previous discourse behavior. If disabled, high trust level users cannot edit the topics or posts of other users.
2018-02-22 20:39:24 -05:00
it 'is false at TL4, if `trusted_users_can_edit_others` is false' do
SiteSetting.trusted_users_can_edit_others = false
expect(Guardian.new(trust_level_4).can_edit?(archived_topic)).to eq(false)
end
FIX: TL3 users should not be able to edit title of archived topics
2016-01-28 14:05:56 -05:00
it 'returns false at trust level 3' do
expect(Guardian.new(trust_level_3).can_edit?(archived_topic)).to be_falsey
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
end
it 'returns false as a topic creator' do
expect(Guardian.new(user).can_edit?(archived_topic)).to be_falsey
end
end
context 'very old' do
let(:old_topic) { build(:topic, user: user, created_at: 6.minutes.ago) }
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
before { SiteSetting.post_edit_time_limit = 5 }
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
FIX: staff should be able to edit topics that have been archived
2014-08-15 12:44:58 -04:00
it 'returns true as a moderator' do
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
expect(Guardian.new(moderator).can_edit?(old_topic)).to be_truthy
Don't allow editing of title and category of an archived topic
2013-07-09 16:48:26 -04:00
end
FIX: staff should be able to edit topics that have been archived
2014-08-15 12:44:58 -04:00
it 'returns true as an admin' do
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
expect(Guardian.new(admin).can_edit?(old_topic)).to be_truthy
FIX: staff should be able to edit topics that have been archived
2014-08-15 12:44:58 -04:00
end
it 'returns true at trust level 3' do
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
expect(Guardian.new(trust_level_3).can_edit?(old_topic)).to be_truthy
Trust level 3 users can edit topic titles and change category
2014-01-16 11:59:26 -05:00
end
FIX: staff should be able to edit topics that have been archived
2014-08-15 12:44:58 -04:00
it 'returns false as a topic creator' do
FIX: use the 'post edit time limit' for topics too
2015-02-25 14:53:21 -05:00
expect(Guardian.new(user).can_edit?(old_topic)).to be_falsey
Don't allow editing of title and category of an archived topic
2013-07-09 16:48:26 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
describe 'a Category' do
it 'returns false when not logged in' do
Removed unnecessary fab!
2019-05-07 04:40:54 -04:00
expect(Guardian.new.can_edit?(plain_category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns false as a regular user' do
Removed unnecessary fab!
2019-05-07 04:40:54 -04:00
expect(Guardian.new(plain_category.user).can_edit?(plain_category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
SECURITY: reduce moderator rights You can now hide particular categories from certain moderators
2014-02-06 22:11:52 -05:00
it 'returns false as a moderator' do
Removed unnecessary fab!
2019-05-07 04:40:54 -04:00
expect(Guardian.new(moderator).can_edit?(plain_category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true as an admin' do
Removed unnecessary fab!
2019-05-07 04:40:54 -04:00
expect(Guardian.new(admin).can_edit?(plain_category)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
describe 'a User' do
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_edit?(user)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns false as a different user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_edit?(user)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when trying to edit yourself' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit?(user)).to be_truthy
remove trailing whitespaces :heart:
2013-02-25 11:42:20 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
moderators now have teeth, more at http://meta.discourse.org/t/moderator-permission-set/6307/5 allow pms to be targetted at groups
2013-05-02 01:15:17 -04:00
it 'returns true as a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit?(user)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true as an admin' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit?(user)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
end
context 'can_moderate?' do
it 'returns false with a nil object' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_moderate?(nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Rename "Blocked" to "Silenced"
2017-11-10 12:18:08 -05:00
context 'when user is silenced' do
FIX: A blocked user should not be able to moderate anything.
2016-06-20 03:41:17 -04:00
it 'returns false' do
FEATURE: Support an end date for user silencing
2017-11-13 13:41:36 -05:00
user.update_column(:silenced_till, 1.year.from_now)
FIX: A blocked user should not be able to moderate anything.
2016-06-20 03:41:17 -04:00
expect(Guardian.new(user).can_moderate?(post)).to be(false)
expect(Guardian.new(user).can_moderate?(topic)).to be(false)
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
context 'a Topic' do
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_moderate?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns false when not a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_moderate?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_moderate?(topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when an admin' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_moderate?(topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: Trust level 4 abilities: pin/unpin, close, archive, make invisible, split/merge topic
2014-03-17 14:50:28 -04:00
it 'returns true when trust level 4' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(trust_level_4).can_moderate?(topic)).to be_truthy
FEATURE: Trust level 4 abilities: pin/unpin, close, archive, make invisible, split/merge topic
2014-03-17 14:50:28 -04:00
end
remove trailing whitespaces :heart:
2013-02-25 11:42:20 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
context 'can_see_flags?' do
it "returns false when there is no post" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_see_flags?(nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns false when there is no user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_see_flags?(post)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
custom avatar support
2013-08-13 16:08:29 -04:00
it "allow regular users to see flags" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_see_flags?(post)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "allows moderators to see flags" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_see_flags?(post)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "allows moderators to see flags" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_see_flags?(post)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
FEATURE: Flag count in post menu This change shows a notification number besides the flag icon in the post menu if there is reviewable content associated with the post. Additionally, if there is pending stuff to review, the icon has a red background. We have also removed the list of links below a post with the flag status. A reviewer is meant to click the number beside the flag icon to view the flags. As a consequence of losing those links, we've removed the ability to undo or ignore flags below a post.
2019-05-03 14:26:37 -04:00
context "can_review_topic?" do
it 'returns false with a nil object' do
expect(Guardian.new(user).can_review_topic?(nil)).to eq(false)
end
it 'returns true for a staff user' do
expect(Guardian.new(moderator).can_review_topic?(topic)).to eq(true)
end
it 'returns false for a regular user' do
expect(Guardian.new(user).can_review_topic?(topic)).to eq(false)
end
FEATURE: Allow group moderators to close/archive topics * FEATURE: Allow group moderators to close/archive topics
2020-07-14 12:36:19 -04:00
it 'returns true for a group member with reviewable status' do
SiteSetting.enable_category_group_moderation = true
FEATURE: Flag count in post menu This change shows a notification number besides the flag icon in the post menu if there is reviewable content associated with the post. Additionally, if there is pending stuff to review, the icon has a red background. We have also removed the list of links below a post with the flag status. A reviewer is meant to click the number beside the flag icon to view the flags. As a consequence of losing those links, we've removed the ability to undo or ignore flags below a post.
2019-05-03 14:26:37 -04:00
GroupUser.create!(group_id: group.id, user_id: user.id)
topic.category.update!(reviewable_by_group_id: group.id)
expect(Guardian.new(user).can_review_topic?(topic)).to eq(true)
end
end
FEATURE: Allow group moderators to close/archive topics * FEATURE: Allow group moderators to close/archive topics
2020-07-14 12:36:19 -04:00
context "can_close_topic?" do
it 'returns false with a nil object' do
expect(Guardian.new(user).can_close_topic?(nil)).to eq(false)
end
it 'returns true for a staff user' do
expect(Guardian.new(moderator).can_close_topic?(topic)).to eq(true)
end
it 'returns false for a regular user' do
expect(Guardian.new(user).can_close_topic?(topic)).to eq(false)
end
it 'returns true for a group member with reviewable status' do
SiteSetting.enable_category_group_moderation = true
GroupUser.create!(group_id: group.id, user_id: user.id)
topic.category.update!(reviewable_by_group_id: group.id)
expect(Guardian.new(user).can_close_topic?(topic)).to eq(true)
end
end
context "can_archive_topic?" do
it 'returns false with a nil object' do
expect(Guardian.new(user).can_archive_topic?(nil)).to eq(false)
end
it 'returns true for a staff user' do
expect(Guardian.new(moderator).can_archive_topic?(topic)).to eq(true)
end
it 'returns false for a regular user' do
expect(Guardian.new(user).can_archive_topic?(topic)).to eq(false)
end
it 'returns true for a group member with reviewable status' do
SiteSetting.enable_category_group_moderation = true
GroupUser.create!(group_id: group.id, user_id: user.id)
topic.category.update!(reviewable_by_group_id: group.id)
expect(Guardian.new(user).can_archive_topic?(topic)).to eq(true)
end
end
FEATURE: Allow group moderators to add/remove staff notes (#10252) * FEATURE: Allow group moderators to add/remove staff notes
2020-07-20 15:53:47 -04:00
context "can_edit_staff_notes?" do
it 'returns false with a nil object' do
expect(Guardian.new(user).can_edit_staff_notes?(nil)).to eq(false)
end
it 'returns true for a staff user' do
expect(Guardian.new(moderator).can_edit_staff_notes?(topic)).to eq(true)
end
it 'returns false for a regular user' do
expect(Guardian.new(user).can_edit_staff_notes?(topic)).to eq(false)
end
it 'returns true for a group member with reviewable status' do
SiteSetting.enable_category_group_moderation = true
GroupUser.create!(group_id: group.id, user_id: user.id)
topic.category.update!(reviewable_by_group_id: group.id)
expect(Guardian.new(user).can_edit_staff_notes?(topic)).to eq(true)
end
end
FIX: do not allow creation of topic if there is no category available for posting (#7786)
2019-06-26 07:02:53 -04:00
context "can_create_topic?" do
it 'returns true for staff user' do
expect(Guardian.new(moderator).can_create_topic?(topic)).to eq(true)
end
it 'returns false for user with insufficient trust level' do
SiteSetting.min_trust_to_create_topic = 3
expect(Guardian.new(user).can_create_topic?(topic)).to eq(false)
end
it 'returns true for user with sufficient trust level' do
SiteSetting.min_trust_to_create_topic = 3
expect(Guardian.new(trust_level_4).can_create_topic?(topic)).to eq(true)
end
it 'returns false when posting in "uncategorized" is disabled and there is no other category available for posting' do
SiteSetting.allow_uncategorized_topics = false
plain_category.set_permissions(group => :readonly)
plain_category.save
expect(Guardian.new(user).can_create_topic?(topic)).to eq(false)
end
it 'returns true when there is a category available for posting' do
SiteSetting.allow_uncategorized_topics = false
plain_category.set_permissions(group => :full)
plain_category.save
group.add(user)
group.save
expect(Guardian.new(user).can_create_topic?(topic)).to eq(true)
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
context 'can_move_posts?' do
it 'returns false with a nil object' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_move_posts?(nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
context 'a Topic' do
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_move_posts?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns false when not a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_move_posts?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_move_posts?(topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when an admin' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_move_posts?(topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
remove trailing whitespaces :heart:
2013-02-25 11:42:20 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: New 'Reviewable' model to make reviewable items generic Includes support for flags, reviewable users and queued posts, with REST API backwards compatibility. Co-Authored-By: romanrizzi <romanalejandro@gmail.com> Co-Authored-By: jjaffeux <j.jaffeux@gmail.com>
2019-01-03 12:03:01 -05:00
context "can_delete_post_action?" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:post) { Fabricate(:post) }
FEATURE: New 'Reviewable' model to make reviewable items generic Includes support for flags, reviewable users and queued posts, with REST API backwards compatibility. Co-Authored-By: romanrizzi <romanalejandro@gmail.com> Co-Authored-By: jjaffeux <j.jaffeux@gmail.com>
2019-01-03 12:03:01 -05:00
it "allows us to remove a bookmark" do
pa = PostActionCreator.bookmark(user, post).post_action
expect(Guardian.new(user).can_delete_post_action?(pa)).to eq(true)
end
it "allows us to remove a very old bookmark" do
pa = PostActionCreator.bookmark(user, post).post_action
pa.update(created_at: 2.years.ago)
expect(Guardian.new(user).can_delete_post_action?(pa)).to eq(true)
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
context 'can_delete?' do
it 'returns false with a nil object' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_delete?(nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
context 'a Topic' do
change it so all topics MUST include a category, we store a special uncategorized category to compensate this cleans up a bunch of internals and removes some settings
2013-10-23 19:05:51 -04:00
before do
# pretend we have a real topic
topic.id = 9999999
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_delete?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns false when not a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_delete?(topic)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_delete?(topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when an admin' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_delete?(topic)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Prevent deleting the static page doc topics
2014-08-13 17:02:44 -04:00
it 'returns false for static doc topics' do
tos_topic = Fabricate(:topic, user: Discourse.system_user)
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.tos_topic_id = tos_topic.id
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_delete?(tos_topic)).to be_falsey
Prevent deleting the static page doc topics
2014-08-13 17:02:44 -04:00
end
FIX: Let users delete topics. Follow-up to 31053f30dea876395774fc646c50ba3b638acd97.
2019-03-29 15:59:19 -04:00
it "returns true for own topics" do
topic.update_attribute(:posts_count, 1)
topic.update_attribute(:created_at, Time.zone.now)
expect(Guardian.new(topic.user).can_delete?(topic)).to be_truthy
end
DEV: Improve tests. Follow-up to 034b8a7ecc406d83b0134940e81e83848b4b3279.
2019-04-21 04:40:29 -04:00
it "returns false if topic has replies" do
topic.update!(posts_count: 2, created_at: Time.zone.now)
FIX: Let users delete topics. Follow-up to 31053f30dea876395774fc646c50ba3b638acd97.
2019-03-29 15:59:19 -04:00
expect(Guardian.new(topic.user).can_delete?(topic)).to be_falsey
end
DEV: Improve tests. Follow-up to 034b8a7ecc406d83b0134940e81e83848b4b3279.
2019-04-21 04:40:29 -04:00
it "returns false if topic was created > 24h ago" do
topic.update!(posts_count: 1, created_at: 48.hours.ago)
FIX: Let users delete topics. Follow-up to 31053f30dea876395774fc646c50ba3b638acd97.
2019-03-29 15:59:19 -04:00
expect(Guardian.new(topic.user).can_delete?(topic)).to be_falsey
end
FEATURE: Allow category group moderators to delete topics (#11069) * FEATURE - allow category group moderators to delete topics * Allow individual posts to be deleted * DEV - refactor for new `can_moderate_topic?` method
2020-11-05 12:18:26 -05:00
context 'category group moderation is enabled' do
fab!(:group_user) { Fabricate(:group_user) }
before do
SiteSetting.enable_category_group_moderation = true
end
it "returns false if user is not a member of the appropriate group" do
expect(Guardian.new(group_user.user).can_delete?(topic)).to be_falsey
end
it "returns true if user is a member of the appropriate group" do
topic.category.update!(reviewable_by_group_id: group_user.group.id)
expect(Guardian.new(group_user.user).can_delete?(topic)).to be_truthy
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
context 'a Post' do
before do
post.post_number = 2
end
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_delete?(post)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
it "returns false when trying to delete your own post that has already been deleted" do
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
post = Fabricate(:post)
PostDestroyer to replace callbacks for destroying
2013-03-18 17:52:29 -04:00
PostDestroyer.new(user, post).destroy
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
post.reload
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_delete?(post)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
it 'returns true when trying to delete your own post' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_delete?(post)).to be_truthy
FIX: TL4 users cannot delete others posts (#13554)
2021-06-30 08:51:35 -04:00
expect(Guardian.new(trust_level_0).can_delete?(post)).to be_falsey
expect(Guardian.new(trust_level_1).can_delete?(post)).to be_falsey
expect(Guardian.new(trust_level_2).can_delete?(post)).to be_falsey
expect(Guardian.new(trust_level_3).can_delete?(post)).to be_falsey
expect(Guardian.new(trust_level_4).can_delete?(post)).to be_falsey
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
end
FEATURE: allow disabling self-deletions of posts (#11668) https://meta.discourse.org/t/restoring-deleted-messages/173647/6?u=techapj
2021-01-08 10:05:13 -05:00
it 'returns false when self deletions are disabled' do
SiteSetting.max_post_deletions_per_day = 0
expect(Guardian.new(user).can_delete?(post)).to be_falsey
end
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
it "returns false when trying to delete another user's own post" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(Fabricate(:user)).can_delete?(post)).to be_falsey
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
end
FEATURE: Let users delete their own topics. (#7267)
2019-03-29 12:10:05 -04:00
it "returns false when it's the OP, even as a moderator if there are at least two posts" do
DEV: Improve tests. Follow-up to 034b8a7ecc406d83b0134940e81e83848b4b3279.
2019-04-21 04:40:29 -04:00
post = Fabricate(:post)
FEATURE: Let users delete their own topics. (#7267)
2019-03-29 12:10:05 -04:00
Fabricate(:post, topic: post.topic)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_delete?(post)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_delete?(post)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when an admin' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_delete?(post)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
FIX: TL4 users cannot delete others posts (#13554)
2021-06-30 08:51:35 -04:00
it "returns true for category moderators" do
SiteSetting.enable_category_group_moderation = true
GroupUser.create(group: group, user: user)
category = Fabricate(:category, reviewable_by_group_id: group.id)
post.topic.update!(category: category)
expect(Guardian.new(user).can_delete?(post)).to eq(true)
end
Prevent deleting the static page doc topics
2014-08-13 17:02:44 -04:00
it 'returns false when post is first in a static doc topic' do
tos_topic = Fabricate(:topic, user: Discourse.system_user)
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.tos_topic_id = tos_topic.id
Prevent deleting the static page doc topics
2014-08-13 17:02:44 -04:00
post.update_attribute :post_number, 1
post.update_attribute :topic_id, tos_topic.id
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_delete?(post)).to be_falsey
Prevent deleting the static page doc topics
2014-08-13 17:02:44 -04:00
end
Non-staff users may not delete their posts in archived topics.
2014-01-17 17:42:12 -05:00
context 'the topic is archived' do
before do
post.topic.archived = true
end
it "allows a staff member to delete it" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_delete?(post)).to be_truthy
Non-staff users may not delete their posts in archived topics.
2014-01-17 17:42:12 -05:00
end
it "doesn't allow a regular user to delete it" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(post.user).can_delete?(post)).to be_falsey
Non-staff users may not delete their posts in archived topics.
2014-01-17 17:42:12 -05:00
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
context 'a Category' do
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
let(:category) { build(:category, user: moderator) }
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_delete?(category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns false when a regular user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_delete?(category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
SECURITY: reduce moderator rights You can now hide particular categories from certain moderators
2014-02-06 22:11:52 -05:00
it 'returns false when a moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_delete?(category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns true when an admin' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_delete?(category)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "can't be deleted if it has a forum topic" do
category.topic_count = 10
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_delete?(category)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Fixed typo in test name
2014-02-12 15:24:44 -05:00
it "can't be deleted if it is the Uncategorized Category" do
Prevent deleting 'uncategorized' category
2013-12-17 15:36:15 -05:00
uncategorized_cat_id = SiteSetting.uncategorized_category_id
uncategorized_category = Category.find(uncategorized_cat_id)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_delete?(uncategorized_category)).to be_falsey
Prevent deleting 'uncategorized' category
2013-12-17 15:36:15 -05:00
end
FIX: Don't allow parent categories to be deleted. Also, remove duplicated logic and rely on the server response for `can_delete` status.
2014-02-12 17:24:25 -05:00
it "can't be deleted if it has children" do
category.expects(:has_children?).returns(true)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_delete?(category)).to be_falsey
FIX: Don't allow parent categories to be deleted. Also, remove duplicated logic and rely on the server response for `can_delete` status.
2014-02-12 17:24:25 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Used the term suspended instead of banned.
2013-11-07 13:53:32 -05:00
context 'can_suspend?' do
it 'returns false when a user tries to suspend another user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_suspend?(coding_horror)).to be_falsey
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
end
Used the term suspended instead of banned.
2013-11-07 13:53:32 -05:00
it 'returns true when an admin tries to suspend another user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_suspend?(coding_horror)).to be_truthy
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
end
Used the term suspended instead of banned.
2013-11-07 13:53:32 -05:00
it 'returns true when a moderator tries to suspend another user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_suspend?(coding_horror)).to be_truthy
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
end
Used the term suspended instead of banned.
2013-11-07 13:53:32 -05:00
it 'returns false when staff tries to suspend staff' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_suspend?(moderator)).to be_falsey
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
context 'a PostAction' do
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
let(:post_action) {
user.id = 1
post.id = 1
FEATURE: New 'Reviewable' model to make reviewable items generic Includes support for flags, reviewable users and queued posts, with REST API backwards compatibility. Co-Authored-By: romanrizzi <romanalejandro@gmail.com> Co-Authored-By: jjaffeux <j.jaffeux@gmail.com>
2019-01-03 12:03:01 -05:00
a = PostAction.new(user: user, post: post, post_action_type_id: 2)
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
a.created_at = 1.minute.ago
a
}
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'returns false when not logged in' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_delete?(post_action)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'returns false when not the user who created it' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_delete?(post_action)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns false if the window has expired" do
post_action.created_at = 20.minutes.ago
FEATURE: New 'Reviewable' model to make reviewable items generic Includes support for flags, reviewable users and queued posts, with REST API backwards compatibility. Co-Authored-By: romanrizzi <romanalejandro@gmail.com> Co-Authored-By: jjaffeux <j.jaffeux@gmail.com>
2019-01-03 12:03:01 -05:00
SiteSetting.post_undo_action_window_mins = 10
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_delete?(post_action)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns true if it's yours" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_delete?(post_action)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
end
context 'can_approve?' do
it "wont allow a non-logged in user to approve" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_approve?(user)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "wont allow a non-admin to approve a user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(coding_horror).can_approve?(user)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "returns false when the user is already approved" do
user.approved = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_approve?(user)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: Don't allow staff to approve users with unverified emails
2017-09-04 12:55:23 -04:00
it "returns false when the user is not active" do
user.active = false
expect(Guardian.new(admin).can_approve?(user)).to be_falsey
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it "allows an admin to approve a user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_approve?(user)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "allows a moderator to approve a user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_approve?(user)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
end
context 'can_grant_admin?' do
it "wont allow a non logged in user to grant an admin's access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_grant_admin?(another_admin)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "wont allow a regular user to revoke an admin's access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_grant_admin?(another_admin)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'wont allow an admin to grant their own access' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_grant_admin?(admin)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "allows an admin to grant a regular user access" do
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
admin.id = 1
user.id = 2
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_grant_admin?(user)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: Do not allow admins to meddle with admin and moderation access of non real users.
2016-12-28 22:11:33 -05:00
it 'should not allow an admin to grant admin access to a non real user' do
Fix randomly failing spec.
2017-01-06 02:25:49 -05:00
begin
Discourse.system_user.update!(admin: false)
expect(Guardian.new(admin).can_grant_admin?(Discourse.system_user)).to be(false)
ensure
Discourse.system_user.update!(admin: true)
end
FIX: Do not allow admins to meddle with admin and moderation access of non real users.
2016-12-28 22:11:33 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
context 'can_revoke_admin?' do
it "wont allow a non logged in user to revoke an admin's access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_revoke_admin?(another_admin)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "wont allow a regular user to revoke an admin's access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_revoke_admin?(another_admin)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'wont allow an admin to revoke their own access' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_revoke_admin?(admin)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it "allows an admin to revoke another admin's access" do
update message bus to support per client filtering start work on user_tracking_state fix can_ban? in guardian expose protected scopes on topic_query we need move guardian spec to use build as opposed to creating topics / posts / users start work on user tracking spec
2013-05-21 02:39:51 -04:00
admin.id = 1
another_admin.id = 2
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_revoke_admin?(another_admin)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: Do not allow admins to meddle with admin and moderation access of non real users.
2016-12-28 22:11:33 -05:00
it "should not allow an admin to revoke a no real user's admin access" do
expect(Guardian.new(admin).can_revoke_admin?(Discourse.system_user)).to be(false)
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
context 'can_grant_moderation?' do
+x on files makes no sense unless they really are executable rails in the script dir makes no sense, use binstubs or bundler instead
2013-05-09 03:35:15 -04:00
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
it "wont allow a non logged in user to grant an moderator's access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_grant_moderation?(user)).to be_falsey
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
refactor guardian class for clarity & correctness introduce NullUser to avoid type-checking DRY up code reduce number of multiple returns remove some redundant/impossible logic branches add pending test for possible bug add test & fix for ability to flag archived posts add #secure_category? method to topic class Fix bug that prevented flagging of archived topics Rename NullUser to AnonymousUser DRY up can_<action>? methods Fix some ownership logic, and a test, for Guardian
2013-05-20 02:04:53 -04:00
it "wont allow a regular user to revoke an moderator's access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_grant_moderation?(moderator)).to be_falsey
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
+x on files makes no sense unless they really are executable rails in the script dir makes no sense, use binstubs or bundler instead
2013-05-09 03:35:15 -04:00
it 'will allow an admin to grant their own moderator access' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_grant_moderation?(admin)).to be_truthy
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
it 'wont allow an admin to grant it to an already moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_grant_moderation?(moderator)).to be_falsey
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
it "allows an admin to grant a regular user access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_grant_moderation?(user)).to be_truthy
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
FIX: Do not allow admins to meddle with admin and moderation access of non real users.
2016-12-28 22:11:33 -05:00
it "should not allow an admin to grant moderation to a non real user" do
Fix randomly failing spec.
2017-01-06 02:25:49 -05:00
begin
Discourse.system_user.update!(moderator: false)
expect(Guardian.new(admin).can_grant_moderation?(Discourse.system_user)).to be(false)
ensure
Discourse.system_user.update!(moderator: true)
end
FIX: Do not allow admins to meddle with admin and moderation access of non real users.
2016-12-28 22:11:33 -05:00
end
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
context 'can_revoke_moderation?' do
it "wont allow a non logged in user to revoke an moderator's access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new.can_revoke_moderation?(moderator)).to be_falsey
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
it "wont allow a regular user to revoke an moderator's access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_revoke_moderation?(moderator)).to be_falsey
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
+x on files makes no sense unless they really are executable rails in the script dir makes no sense, use binstubs or bundler instead
2013-05-09 03:35:15 -04:00
it 'wont allow a moderator to revoke their own moderator' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_revoke_moderation?(moderator)).to be_falsey
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
it "allows an admin to revoke a moderator's access" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_revoke_moderation?(moderator)).to be_truthy
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
+x on files makes no sense unless they really are executable rails in the script dir makes no sense, use binstubs or bundler instead
2013-05-09 03:35:15 -04:00
it "allows an admin to revoke a moderator's access from self" do
admin.moderator = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_revoke_moderation?(admin)).to be_truthy
+x on files makes no sense unless they really are executable rails in the script dir makes no sense, use binstubs or bundler instead
2013-05-09 03:35:15 -04:00
end
it "does not allow revoke from non moderators" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_revoke_moderation?(admin)).to be_falsey
+x on files makes no sense unless they really are executable rails in the script dir makes no sense, use binstubs or bundler instead
2013-05-09 03:35:15 -04:00
end
FIX: Do not allow admins to meddle with admin and moderation access of non real users.
2016-12-28 22:11:33 -05:00
it "should not allow an admin to revoke moderation from a non real user" do
expect(Guardian.new(admin).can_revoke_moderation?(Discourse.system_user)).to be(false)
end
Adds grant and revoke moderation buttons so admins can make users moderators
2013-02-12 17:58:08 -05:00
end
Let's not show tons of extra information about invites unless you're the person who invited them.
2014-03-21 14:13:04 -04:00
context "can_see_invite_details?" do
Initial release of Discourse
2013-02-05 14:16:51 -05:00
it 'is false without a logged in user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_see_invite_details?(user)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'is false without a user to look at' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_see_invite_details?(nil)).to be_falsey
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
it 'is true when looking at your own invites' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_see_invite_details?(user)).to be_truthy
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
end
context "can_access_forum?" do
let(:unapproved_user) { Fabricate.build(:user) }
context "when must_approve_users is false" do
before do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.must_approve_users = false
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
end
it "returns true for a nil user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_access_forum?).to be_truthy
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
end
it "returns true for an unapproved user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(unapproved_user).can_access_forum?).to be_truthy
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
end
end
context 'when must_approve_users is true' do
before do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.must_approve_users = true
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
end
it "returns false for a nil user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_access_forum?).to be_falsey
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
end
it "returns false for an unapproved user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(unapproved_user).can_access_forum?).to be_falsey
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
end
it "returns true for an admin user" do
unapproved_user.admin = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(unapproved_user).can_access_forum?).to be_truthy
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
end
it "returns true for an approved user" do
unapproved_user.approved = true
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(unapproved_user).can_access_forum?).to be_truthy
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Add button to delete a spammer in the flag modal Add SiteSettings: delete_user_max_age, delete_all_posts_max. Add delete spammer button to admin flags UI Moderators can delete users too
2013-07-26 15:40:08 -04:00
describe "can_delete_all_posts?" do
it "is false without a logged in user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_delete_all_posts?(user)).to be_falsey
Add button to delete a spammer in the flag modal Add SiteSettings: delete_user_max_age, delete_all_posts_max. Add delete spammer button to admin flags UI Moderators can delete users too
2013-07-26 15:40:08 -04:00
end
it "is false without a user to look at" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_delete_all_posts?(nil)).to be_falsey
Add button to delete a spammer in the flag modal Add SiteSettings: delete_user_max_age, delete_all_posts_max. Add delete spammer button to admin flags UI Moderators can delete users too
2013-07-26 15:40:08 -04:00
end
it "is false for regular users" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_delete_all_posts?(coding_horror)).to be_falsey
Add button to delete a spammer in the flag modal Add SiteSettings: delete_user_max_age, delete_all_posts_max. Add delete spammer button to admin flags UI Moderators can delete users too
2013-07-26 15:40:08 -04:00
end
FEATURE: allow admin to delete all posts by a user irrespectively (#14128) This commit allows admin to delete all posts by a user irrespective of site settings `delete_user_max_post_age` and `delete_all_posts_max`.
2021-08-25 00:44:22 -04:00
context "for moderators" do
let(:actor) { moderator }
Look at the age of a user's first post to determine if the user can be nuked, instead of looking at when the user registered.
2014-02-20 12:29:40 -05:00
it "is true if user has no posts" do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.delete_user_max_post_age = 10
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(actor).can_delete_all_posts?(Fabricate(:user, created_at: 100.days.ago))).to be_truthy
Look at the age of a user's first post to determine if the user can be nuked, instead of looking at when the user registered.
2014-02-20 12:29:40 -05:00
end
it "is true if user's first post is newer than delete_user_max_post_age days old" do
FEATURE: flag dispositions normalization All flags should end up in one of the three dispositions - Agree - Disagree - Defer In the administration area, the *active* flags section displays 4 buttons - Agree (hide post + send PM) - Disagree - Defer - Delete Clicking "Delete" will open a modal that offer to - Delete Post & Defer Flags - Delete Post & Agree with Flags - Delete Spammer (if available) When the flag has a list associated, the list will now display 1 response and 1 reply and a "show more..." link if there are more in the conversation. Replying to the conversation will NOT give a disposition. Moderators must click the buttons that does that. If someone clicks one buttons, this will add a default moderator message from that moderator saying what happened. The *old* flags section now displays the proper dispositions and is super duper fast (no more N+9999 queries). FIX: the old list includes deleted topics FIX: the lists now properly display the topic states (deleted, closed, archived, hidden, PM) FIX: flagging a topic that you've already flagged the first post
2014-07-28 13:17:37 -04:00
user = Fabricate(:user, created_at: 100.days.ago)
DEV: Remove the use of stubs. (#14142) Follow-up to 419d71abcb814b14c15918190405428bfb543548
2021-08-25 01:25:01 -04:00
user.user_stat.update!(first_post_created_at: 9.days.ago)
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.delete_user_max_post_age = 10
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(actor).can_delete_all_posts?(user)).to be_truthy
Add button to delete a spammer in the flag modal Add SiteSettings: delete_user_max_age, delete_all_posts_max. Add delete spammer button to admin flags UI Moderators can delete users too
2013-07-26 15:40:08 -04:00
end
Look at the age of a user's first post to determine if the user can be nuked, instead of looking at when the user registered.
2014-02-20 12:29:40 -05:00
it "is false if user's first post is older than delete_user_max_post_age days old" do
FEATURE: flag dispositions normalization All flags should end up in one of the three dispositions - Agree - Disagree - Defer In the administration area, the *active* flags section displays 4 buttons - Agree (hide post + send PM) - Disagree - Defer - Delete Clicking "Delete" will open a modal that offer to - Delete Post & Defer Flags - Delete Post & Agree with Flags - Delete Spammer (if available) When the flag has a list associated, the list will now display 1 response and 1 reply and a "show more..." link if there are more in the conversation. Replying to the conversation will NOT give a disposition. Moderators must click the buttons that does that. If someone clicks one buttons, this will add a default moderator message from that moderator saying what happened. The *old* flags section now displays the proper dispositions and is super duper fast (no more N+9999 queries). FIX: the old list includes deleted topics FIX: the lists now properly display the topic states (deleted, closed, archived, hidden, PM) FIX: flagging a topic that you've already flagged the first post
2014-07-28 13:17:37 -04:00
user = Fabricate(:user, created_at: 100.days.ago)
DEV: Remove the use of stubs. (#14142) Follow-up to 419d71abcb814b14c15918190405428bfb543548
2021-08-25 01:25:01 -04:00
user.user_stat.update!(first_post_created_at: 11.days.ago)
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.delete_user_max_post_age = 10
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(actor).can_delete_all_posts?(user)).to be_falsey
Add button to delete a spammer in the flag modal Add SiteSettings: delete_user_max_age, delete_all_posts_max. Add delete spammer button to admin flags UI Moderators can delete users too
2013-07-26 15:40:08 -04:00
end
it "is false if user is an admin" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(actor).can_delete_all_posts?(admin)).to be_falsey
Add ability to destroy a user with 0 posts
2013-04-11 16:04:20 -04:00
end
Add button to delete a spammer in the flag modal Add SiteSettings: delete_user_max_age, delete_all_posts_max. Add delete spammer button to admin flags UI Moderators can delete users too
2013-07-26 15:40:08 -04:00
it "is true if number of posts is small" do
DEV: Remove the use of stubs. (#14142) Follow-up to 419d71abcb814b14c15918190405428bfb543548
2021-08-25 01:25:01 -04:00
user = Fabricate(:user, created_at: 1.day.ago)
user.user_stat.update!(post_count: 1)
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.delete_all_posts_max = 10
DEV: Remove the use of stubs. (#14142) Follow-up to 419d71abcb814b14c15918190405428bfb543548
2021-08-25 01:25:01 -04:00
expect(Guardian.new(actor).can_delete_all_posts?(user)).to be_truthy
Add ability to destroy a user with 0 posts
2013-04-11 16:04:20 -04:00
end
Add button to delete a spammer in the flag modal Add SiteSettings: delete_user_max_age, delete_all_posts_max. Add delete spammer button to admin flags UI Moderators can delete users too
2013-07-26 15:40:08 -04:00
it "is false if number of posts is not small" do
DEV: Remove the use of stubs. (#14142) Follow-up to 419d71abcb814b14c15918190405428bfb543548
2021-08-25 01:25:01 -04:00
user = Fabricate(:user, created_at: 1.day.ago)
user.user_stat.update!(post_count: 11)
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.delete_all_posts_max = 10
DEV: Remove the use of stubs. (#14142) Follow-up to 419d71abcb814b14c15918190405428bfb543548
2021-08-25 01:25:01 -04:00
expect(Guardian.new(actor).can_delete_all_posts?(user)).to be_falsey
Add button to delete a spammer in the flag modal Add SiteSettings: delete_user_max_age, delete_all_posts_max. Add delete spammer button to admin flags UI Moderators can delete users too
2013-07-26 15:40:08 -04:00
end
end
context "for admins" do
let(:actor) { admin }
FEATURE: allow admin to delete all posts by a user irrespectively (#14128) This commit allows admin to delete all posts by a user irrespective of site settings `delete_user_max_post_age` and `delete_all_posts_max`.
2021-08-25 00:44:22 -04:00
it "is true if user has no posts" do
SiteSetting.delete_user_max_post_age = 10
expect(Guardian.new(actor).can_delete_all_posts?(Fabricate(:user, created_at: 100.days.ago))).to be_truthy
end
it "is true if user's first post is newer than delete_user_max_post_age days old" do
user = Fabricate(:user, created_at: 100.days.ago)
user.stubs(:first_post_created_at).returns(9.days.ago)
SiteSetting.delete_user_max_post_age = 10
expect(Guardian.new(actor).can_delete_all_posts?(user)).to be_truthy
end
it "is true if user's first post is older than delete_user_max_post_age days old" do
user = Fabricate(:user, created_at: 100.days.ago)
user.stubs(:first_post_created_at).returns(11.days.ago)
SiteSetting.delete_user_max_post_age = 10
expect(Guardian.new(actor).can_delete_all_posts?(user)).to be_truthy
end
it "is false if user is an admin" do
expect(Guardian.new(actor).can_delete_all_posts?(admin)).to be_falsey
end
it "is true if number of posts is small" do
u = Fabricate(:user, created_at: 1.day.ago)
u.stubs(:post_count).returns(1)
SiteSetting.delete_all_posts_max = 10
expect(Guardian.new(actor).can_delete_all_posts?(u)).to be_truthy
end
it "is true if number of posts is not small" do
u = Fabricate(:user, created_at: 1.day.ago)
u.stubs(:post_count).returns(11)
SiteSetting.delete_all_posts_max = 10
expect(Guardian.new(actor).can_delete_all_posts?(u)).to be_truthy
end
Add ability to destroy a user with 0 posts
2013-04-11 16:04:20 -04:00
end
end
FEATURE: Anonymize User. A way to remove a user but keep their topics and posts.
2015-03-06 16:44:54 -05:00
describe "can_anonymize_user?" do
it "is false without a logged in user" do
expect(Guardian.new(nil).can_anonymize_user?(user)).to be_falsey
end
it "is false without a user to look at" do
expect(Guardian.new(admin).can_anonymize_user?(nil)).to be_falsey
end
it "is false for a regular user" do
expect(Guardian.new(user).can_anonymize_user?(coding_horror)).to be_falsey
end
it "is false for myself" do
expect(Guardian.new(user).can_anonymize_user?(user)).to be_falsey
end
it "is true for admin anonymizing a regular user" do
Convert specs to RSpec 2.99.2 syntax with Transpec This conversion is done by Transpec 3.1.0 with the following command: transpec * 424 conversions from: obj.should to: expect(obj).to * 325 conversions from: == expected to: eq(expected) * 38 conversions from: obj.should_not to: expect(obj).not_to * 15 conversions from: =~ /pattern/ to: match(/pattern/) * 9 conversions from: it { should ... } to: it { is_expected.to ... } * 5 conversions from: lambda { }.should_not to: expect { }.not_to * 4 conversions from: lambda { }.should to: expect { }.to * 2 conversions from: -> { }.should to: expect { }.to * 2 conversions from: -> { }.should_not to: expect { }.not_to * 1 conversion from: === expected to: be === expected * 1 conversion from: =~ [1, 2] to: match_array([1, 2]) For more details: https://github.com/yujinakayama/transpec#supported-conversions
2015-04-25 11:18:35 -04:00
expect(Guardian.new(admin).can_anonymize_user?(user)).to eq(true)
FEATURE: Anonymize User. A way to remove a user but keep their topics and posts.
2015-03-06 16:44:54 -05:00
end
it "is true for moderator anonymizing a regular user" do
Convert specs to RSpec 2.99.2 syntax with Transpec This conversion is done by Transpec 3.1.0 with the following command: transpec * 424 conversions from: obj.should to: expect(obj).to * 325 conversions from: == expected to: eq(expected) * 38 conversions from: obj.should_not to: expect(obj).not_to * 15 conversions from: =~ /pattern/ to: match(/pattern/) * 9 conversions from: it { should ... } to: it { is_expected.to ... } * 5 conversions from: lambda { }.should_not to: expect { }.not_to * 4 conversions from: lambda { }.should to: expect { }.to * 2 conversions from: -> { }.should to: expect { }.to * 2 conversions from: -> { }.should_not to: expect { }.not_to * 1 conversion from: === expected to: be === expected * 1 conversion from: =~ [1, 2] to: match_array([1, 2]) For more details: https://github.com/yujinakayama/transpec#supported-conversions
2015-04-25 11:18:35 -04:00
expect(Guardian.new(moderator).can_anonymize_user?(user)).to eq(true)
FEATURE: Anonymize User. A way to remove a user but keep their topics and posts.
2015-03-06 16:44:54 -05:00
end
it "is false for admin anonymizing an admin" do
expect(Guardian.new(admin).can_anonymize_user?(Fabricate(:admin))).to be_falsey
end
it "is false for admin anonymizing a moderator" do
Reuse prefabricated moderator instead of creating new ones
2019-05-06 06:13:39 -04:00
expect(Guardian.new(admin).can_anonymize_user?(moderator)).to be_falsey
FEATURE: Anonymize User. A way to remove a user but keep their topics and posts.
2015-03-06 16:44:54 -05:00
end
it "is false for moderator anonymizing an admin" do
expect(Guardian.new(moderator).can_anonymize_user?(admin)).to be_falsey
end
it "is false for moderator anonymizing a moderator" do
Reuse prefabricated moderator instead of creating new ones
2019-05-06 06:13:39 -04:00
expect(Guardian.new(moderator).can_anonymize_user?(moderator)).to be_falsey
FEATURE: Anonymize User. A way to remove a user but keep their topics and posts.
2015-03-06 16:44:54 -05:00
end
end
Add ability to give users a title. Show them under usernames beside posts. Needs love from a designer.
2013-06-25 18:39:20 -04:00
describe 'can_grant_title?' do
it 'is false without a logged in user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_grant_title?(user)).to be_falsey
Add ability to give users a title. Show them under usernames beside posts. Needs love from a designer.
2013-06-25 18:39:20 -04:00
end
it 'is false for regular users' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_grant_title?(user)).to be_falsey
Add ability to give users a title. Show them under usernames beside posts. Needs love from a designer.
2013-06-25 18:39:20 -04:00
end
it 'is true for moderators' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_grant_title?(user)).to be_truthy
Add ability to give users a title. Show them under usernames beside posts. Needs love from a designer.
2013-06-25 18:39:20 -04:00
end
it 'is true for admins' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_grant_title?(user)).to be_truthy
Add ability to give users a title. Show them under usernames beside posts. Needs love from a designer.
2013-06-25 18:39:20 -04:00
end
it 'is false without a user to look at' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_grant_title?(nil)).to be_falsey
Add ability to give users a title. Show them under usernames beside posts. Needs love from a designer.
2013-06-25 18:39:20 -04:00
end
UX: user preferences allows users to choose which title to use from their badges and groups
2018-04-06 14:29:27 -04:00
context 'with title argument' do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:title_badge) { Fabricate(:badge, name: 'Helper', allow_title: true) }
fab!(:no_title_badge) { Fabricate(:badge, name: 'Writer', allow_title: false) }
fab!(:group) { Fabricate(:group, title: 'Groupie') }
UX: user preferences allows users to choose which title to use from their badges and groups
2018-04-06 14:29:27 -04:00
it 'returns true if title belongs to a badge that user has' do
BadgeGranter.grant(title_badge, user)
expect(Guardian.new(user).can_grant_title?(user, title_badge.name)).to eq(true)
end
it "returns false if title belongs to a badge that user doesn't have" do
expect(Guardian.new(user).can_grant_title?(user, title_badge.name)).to eq(false)
end
it "returns false if title belongs to a badge that user has but can't be used as a title" do
BadgeGranter.grant(no_title_badge, user)
expect(Guardian.new(user).can_grant_title?(user, no_title_badge.name)).to eq(false)
end
it 'returns true if title is from a group the user belongs to' do
group.add(user)
expect(Guardian.new(user).can_grant_title?(user, group.title)).to eq(true)
end
it "returns false if title is from a group the user doesn't belong to" do
expect(Guardian.new(user).can_grant_title?(user, group.title)).to eq(false)
end
FIX: Allow a user to remove their title Somewhere there was a regression and a user couldn't remove their own title. If they selected '(none)' in the UI it would say it was saved, but it would not actually be updated in the db.
2018-05-31 19:10:52 -04:00
it "returns true if the title is set to an empty string" do
expect(Guardian.new(user).can_grant_title?(user, '')).to eq(true)
end
UX: user preferences allows users to choose which title to use from their badges and groups
2018-04-06 14:29:27 -04:00
end
Add ability to give users a title. Show them under usernames beside posts. Needs love from a designer.
2013-06-25 18:39:20 -04:00
end
FEATURE: Site setting/UI to allow users to set their primary group (#8244) * FEATURE: Site setting/ui to allow users to set their primary group * prettier and remove logic from account template * added 1 to 43 to make web_hook_user_serializer_spec pass
2019-10-28 13:46:27 -04:00
describe 'can_use_primary_group?' do
fab!(:group) { Fabricate(:group, title: 'Groupie') }
it 'is false without a logged in user' do
expect(Guardian.new(nil).can_use_primary_group?(user)).to be_falsey
end
it 'is false with no group_id' do
user.update(groups: [group])
expect(Guardian.new(user).can_use_primary_group?(user, nil)).to be_falsey
end
it 'is false if the group does not exist' do
user.update(groups: [group])
expect(Guardian.new(user).can_use_primary_group?(user, Group.last.id + 1)).to be_falsey
end
it 'is false if the user is not a part of the group' do
user.update(groups: [])
expect(Guardian.new(user).can_use_primary_group?(user, group.id)).to be_falsey
end
it 'is false if the group is automatic' do
user.update(groups: [Group.new(name: 'autooo', automatic: true)])
expect(Guardian.new(user).can_use_primary_group?(user, group.id)).to be_falsey
end
it 'is true if the user is a part of the group, and the group is custom' do
user.update(groups: [group])
expect(Guardian.new(user).can_use_primary_group?(user, group.id)).to be_truthy
end
end
FIX: Allow only groups with flairs to be selected (#13744) It used the same permission check as for primary groups which is wrong because not all groups that can be primary have a flair.
2021-07-21 07:41:04 -04:00
describe 'can_use_flair_group?' do
fab!(:group) { Fabricate(:group, title: 'Groupie', flair_icon: 'icon') }
it 'is false without a logged in user' do
expect(Guardian.new(nil).can_use_flair_group?(user)).to eq(false)
end
it 'is false if the group does not exist' do
expect(Guardian.new(user).can_use_flair_group?(user, nil)).to eq(false)
expect(Guardian.new(user).can_use_flair_group?(user, Group.last.id + 1)).to eq(false)
end
it 'is false if the user is not a part of the group' do
expect(Guardian.new(user).can_use_flair_group?(user, group.id)).to eq(false)
end
it 'is false if the group does not have a flair' do
group.update(flair_icon: nil)
expect(Guardian.new(user).can_use_flair_group?(user, group.id)).to eq(false)
end
it 'is true if the user is a part of the group and the group has a flair' do
user.update(groups: [group])
expect(Guardian.new(user).can_use_flair_group?(user, group.id)).to eq(true)
end
end
staff can change trust levels
2013-07-22 19:13:48 -04:00
describe 'can_change_trust_level?' do
it 'is false without a logged in user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_change_trust_level?(user)).to be_falsey
staff can change trust levels
2013-07-22 19:13:48 -04:00
end
it 'is false for regular users' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_change_trust_level?(user)).to be_falsey
staff can change trust levels
2013-07-22 19:13:48 -04:00
end
it 'is true for moderators' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_change_trust_level?(user)).to be_truthy
staff can change trust levels
2013-07-22 19:13:48 -04:00
end
it 'is true for admins' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_change_trust_level?(user)).to be_truthy
staff can change trust levels
2013-07-22 19:13:48 -04:00
end
end
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
describe "can_edit_username?" do
it "is false without a logged in user" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_edit_username?(build(:user, created_at: 1.minute.ago))).to be_falsey
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
end
it "is false for regular users to edit another user's username" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(build(:user)).can_edit_username?(build(:user, created_at: 1.minute.ago))).to be_falsey
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
end
shared_examples "staff can always change usernames" do
it "is true for moderators" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_username?(user)).to be_truthy
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
end
it "is true for admins" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_username?(user)).to be_truthy
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
end
FIX: prevent anonymous users from changing their email/username/name (#7311)
2019-04-17 04:05:02 -04:00
it "is true for admins when changing anonymous username" do
expect(Guardian.new(admin).can_edit_username?(anonymous_user)).to be_truthy
end
end
context "for anonymous user" do
before do
SiteSetting.allow_anonymous_posting = true
end
it "is false" do
expect(Guardian.new(anonymous_user).can_edit_username?(anonymous_user)).to be_falsey
end
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
end
context 'for a new user' do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:target_user) { Fabricate(:user, created_at: 1.minute.ago) }
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
include_examples "staff can always change usernames"
fixing gender sensitive pronouns
2013-12-02 23:49:54 -05:00
it "is true for the user to change their own username" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(target_user).can_edit_username?(target_user)).to be_truthy
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
end
end
context 'for an old user' do
before do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.username_change_period = 3
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
end
FEATURE: flag dispositions normalization All flags should end up in one of the three dispositions - Agree - Disagree - Defer In the administration area, the *active* flags section displays 4 buttons - Agree (hide post + send PM) - Disagree - Defer - Delete Clicking "Delete" will open a modal that offer to - Delete Post & Defer Flags - Delete Post & Agree with Flags - Delete Spammer (if available) When the flag has a list associated, the list will now display 1 response and 1 reply and a "show more..." link if there are more in the conversation. Replying to the conversation will NOT give a disposition. Moderators must click the buttons that does that. If someone clicks one buttons, this will add a default moderator message from that moderator saying what happened. The *old* flags section now displays the proper dispositions and is super duper fast (no more N+9999 queries). FIX: the old list includes deleted topics FIX: the lists now properly display the topic states (deleted, closed, archived, hidden, PM) FIX: flagging a topic that you've already flagged the first post
2014-07-28 13:17:37 -04:00
let(:target_user) { Fabricate(:user, created_at: 4.days.ago) }
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
Users can change their own username at any time if they have no posts
2013-08-23 11:23:00 -04:00
context 'with no posts' do
include_examples "staff can always change usernames"
fixing gender sensitive pronouns
2013-12-02 23:49:54 -05:00
it "is true for the user to change their own username" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(target_user).can_edit_username?(target_user)).to be_truthy
Users can change their own username at any time if they have no posts
2013-08-23 11:23:00 -04:00
end
end
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
Users can change their own username at any time if they have no posts
2013-08-23 11:23:00 -04:00
context 'with posts' do
before { target_user.stubs(:post_count).returns(1) }
include_examples "staff can always change usernames"
fixing gender sensitive pronouns
2013-12-02 23:49:54 -05:00
it "is false for the user to change their own username" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(target_user).can_edit_username?(target_user)).to be_falsey
Users can change their own username at any time if they have no posts
2013-08-23 11:23:00 -04:00
end
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
end
end
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
context 'when editing is disabled in preferences' do
before do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.username_change_period = 0
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
include_examples "staff can always change usernames"
fixing gender sensitive pronouns
2013-12-02 23:49:54 -05:00
it "is false for the user to change their own username" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit_username?(user)).to be_falsey
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
end
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
context 'when SSO username override is active' do
before do
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
SiteSetting.enable_discourse_connect = true
SiteSetting.auth_overrides_username = true
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
end
it "is false for admins" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_username?(admin)).to be_falsey
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
end
it "is false for moderators" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_username?(moderator)).to be_falsey
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
end
it "is false for users" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit_username?(user)).to be_falsey
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
end
end
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
describe "can_edit_email?" do
context 'when allowed in settings' do
before do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.email_editable = true
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
FIX: prevent anonymous users from changing their email/username/name (#7311)
2019-04-17 04:05:02 -04:00
context "for anonymous user" do
before do
SiteSetting.allow_anonymous_posting = true
end
it "is false" do
expect(Guardian.new(anonymous_user).can_edit_email?(anonymous_user)).to be_falsey
end
end
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
it "is false when not logged in" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_edit_email?(build(:user, created_at: 1.minute.ago))).to be_falsey
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
it "is false for regular users to edit another user's email" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(build(:user)).can_edit_email?(build(:user, created_at: 1.minute.ago))).to be_falsey
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
fixing gender sensitive pronouns
2013-12-02 23:49:54 -05:00
it "is true for a regular user to edit their own email" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit_email?(user)).to be_truthy
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
it "is true for moderators" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_email?(user)).to be_truthy
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
it "is true for admins" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_email?(user)).to be_truthy
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
end
context 'when not allowed in settings' do
before do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.email_editable = false
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
it "is false when not logged in" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_edit_email?(build(:user, created_at: 1.minute.ago))).to be_falsey
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
it "is false for regular users to edit another user's email" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(build(:user)).can_edit_email?(build(:user, created_at: 1.minute.ago))).to be_falsey
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
fixing gender sensitive pronouns
2013-12-02 23:49:54 -05:00
it "is false for a regular user to edit their own email" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit_email?(user)).to be_falsey
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
fix spec, I don't agree with allowing mods and staff to edit this
2014-08-14 22:56:03 -04:00
it "is false for admins" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_email?(user)).to be_falsey
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
fix spec, I don't agree with allowing mods and staff to edit this
2014-08-14 22:56:03 -04:00
it "is false for moderators" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_email?(user)).to be_falsey
New site settings to enable/disable the possibility of editing user's nickname or email address
2013-09-07 22:42:41 -04:00
end
end
Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.
2013-08-12 14:54:52 -04:00
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
context 'when SSO email override is active' do
before do
Fix the build.
2017-07-09 22:12:21 -04:00
SiteSetting.email_editable = false
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
SiteSetting.enable_discourse_connect = true
SiteSetting.auth_overrides_email = true
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
end
it "is false for admins" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_email?(admin)).to be_falsey
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
end
it "is false for moderators" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_email?(moderator)).to be_falsey
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
end
it "is false for users" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit_email?(user)).to be_falsey
Added spec for SSO override username/email changes
2014-03-09 21:38:36 -04:00
end
end
end
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
describe 'can_edit_name?' do
it 'is false without a logged in user' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(nil).can_edit_name?(build(:user, created_at: 1.minute.ago))).to be_falsey
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it "is false for regular users to edit another user's name" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(build(:user)).can_edit_name?(build(:user, created_at: 1.minute.ago))).to be_falsey
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
FIX: prevent anonymous users from changing their email/username/name (#7311)
2019-04-17 04:05:02 -04:00
context "for anonymous user" do
before do
SiteSetting.allow_anonymous_posting = true
end
it "is false" do
expect(Guardian.new(anonymous_user).can_edit_name?(anonymous_user)).to be_falsey
end
end
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
context 'for a new user' do
let(:target_user) { build(:user, created_at: 1.minute.ago) }
it 'is true for the user to change their own name' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(target_user).can_edit_name?(target_user)).to be_truthy
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is true for moderators' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_name?(user)).to be_truthy
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is true for admins' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_name?(user)).to be_truthy
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
end
context 'when name is disabled in preferences' do
before do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.enable_names = false
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is false for the user to change their own name' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit_name?(user)).to be_falsey
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is false for moderators' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_name?(user)).to be_falsey
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is false for admins' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_name?(user)).to be_falsey
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
end
context 'when name is enabled in preferences' do
before do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.enable_names = true
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
context 'when SSO is disabled' do
before do
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
SiteSetting.enable_discourse_connect = false
SiteSetting.auth_overrides_name = false
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is true for admins' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_name?(admin)).to be_truthy
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is true for moderators' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_name?(moderator)).to be_truthy
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is true for users' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit_name?(user)).to be_truthy
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
end
context 'when SSO is enabled' do
before do
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
SiteSetting.enable_discourse_connect = true
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
context 'when SSO name override is active' do
before do
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
SiteSetting.auth_overrides_name = true
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is false for admins' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_name?(admin)).to be_falsey
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is false for moderators' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_name?(moderator)).to be_falsey
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is false for users' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit_name?(user)).to be_falsey
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
end
context 'when SSO name override is not active' do
before do
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
SiteSetting.auth_overrides_name = false
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is true for admins' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(admin).can_edit_name?(admin)).to be_truthy
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is true for moderators' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(moderator).can_edit_name?(moderator)).to be_truthy
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
it 'is true for users' do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(Guardian.new(user).can_edit_name?(user)).to be_truthy
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right.
2014-03-13 16:26:40 -04:00
end
end
end
end
end
Wiki Post
2014-05-13 08:53:11 -04:00
FEATURE: do not allow moderators to export user list (#6418)
2018-09-20 21:07:13 -04:00
describe '#can_export_entity?' do
FIX: guardian always got user but sometimes it is anonymous (#9342) * FIX: guardian always got user but sometimes it is anonymous ``` def initialize(user = nil, request = nil) @user = user.presence || AnonymousUser.new @request = request end ``` AnonymouseUser defines `blank?` method ``` class AnonymousUser def blank? true end ... end ``` so if we would use @user.present? it would be correct, however, just @user is always true
2020-04-05 19:56:47 -04:00
let(:anonymous_guardian) { Guardian.new }
FEATURE: do not allow moderators to export user list (#6418)
2018-09-20 21:07:13 -04:00
let(:user_guardian) { Guardian.new(user) }
let(:moderator_guardian) { Guardian.new(moderator) }
let(:admin_guardian) { Guardian.new(admin) }
it 'only allows admins to export user_list' do
expect(user_guardian.can_export_entity?('user_list')).to be_falsey
expect(moderator_guardian.can_export_entity?('user_list')).to be_falsey
expect(admin_guardian.can_export_entity?('user_list')).to be_truthy
end
it 'allow moderators to export other admin entities' do
expect(user_guardian.can_export_entity?('staff_action')).to be_falsey
expect(moderator_guardian.can_export_entity?('staff_action')).to be_truthy
expect(admin_guardian.can_export_entity?('staff_action')).to be_truthy
end
FIX: guardian always got user but sometimes it is anonymous (#9342) * FIX: guardian always got user but sometimes it is anonymous ``` def initialize(user = nil, request = nil) @user = user.presence || AnonymousUser.new @request = request end ``` AnonymouseUser defines `blank?` method ``` class AnonymousUser def blank? true end ... end ``` so if we would use @user.present? it would be correct, however, just @user is always true
2020-04-05 19:56:47 -04:00
it 'does not allow anonymous to export' do
expect(anonymous_guardian.can_export_entity?('user_archive')).to be_falsey
end
FEATURE: do not allow moderators to export user list (#6418)
2018-09-20 21:07:13 -04:00
end
[FEATURE] Disallow ignoring self, admins or moderators users (#7202)
2019-03-20 06:18:46 -04:00
describe '#can_ignore_user?' do
FEATURE: Add site setting to restrict ignore feature to trust level (#11297) This adds a new min_trust_level_to_allow_ignore site setting that enables admins to control the point at which a user is allowed to ignore other users.
2020-11-20 13:05:20 -05:00
before do
SiteSetting.min_trust_level_to_allow_ignore = 1
end
REFACTOR: Move redundant ignored user check into guardian (#7219) * REFACTOR: Move redundant ignored user check into guardian
2019-03-20 15:55:46 -04:00
FEATURE: Only allow TL2 Users to ignore other users (#7212)
2019-03-20 10:02:34 -04:00
let(:guardian) { Guardian.new(trust_level_2) }
[FEATURE] Disallow ignoring self, admins or moderators users (#7202)
2019-03-20 06:18:46 -04:00
context "when ignored user is the same as guardian user" do
it 'does not allow ignoring user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_ignore_user?(trust_level_2)).to eq(false)
[FEATURE] Disallow ignoring self, admins or moderators users (#7202)
2019-03-20 06:18:46 -04:00
end
end
context "when ignored user is a staff user" do
let!(:admin) { Fabricate(:user, admin: true) }
it 'does not allow ignoring user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_ignore_user?(admin)).to eq(false)
[FEATURE] Disallow ignoring self, admins or moderators users (#7202)
2019-03-20 06:18:46 -04:00
end
end
context "when ignored user is a normal user" do
it 'allows ignoring user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_ignore_user?(another_user)).to eq(true)
[FEATURE] Disallow ignoring self, admins or moderators users (#7202)
2019-03-20 06:18:46 -04:00
end
end
FEATURE: Only allow TL2 Users to ignore other users (#7212)
2019-03-20 10:02:34 -04:00
FEATURE: Add site setting to restrict ignore feature to trust level (#11297) This adds a new min_trust_level_to_allow_ignore site setting that enables admins to control the point at which a user is allowed to ignore other users.
2020-11-20 13:05:20 -05:00
context "when ignorer is staff" do
let(:guardian) { Guardian.new(admin) }
it 'allows ignoring user' do
expect(guardian.can_ignore_user?(another_user)).to eq(true)
end
end
FEATURE: Only allow TL2 Users to ignore other users (#7212)
2019-03-20 10:02:34 -04:00
FEATURE: Add site setting to restrict ignore feature to trust level (#11297) This adds a new min_trust_level_to_allow_ignore site setting that enables admins to control the point at which a user is allowed to ignore other users.
2020-11-20 13:05:20 -05:00
context "when ignorer's trust level is below min_trust_level_to_allow_ignore" do
let(:guardian) { Guardian.new(trust_level_0) }
FEATURE: Only allow TL2 Users to ignore other users (#7212)
2019-03-20 10:02:34 -04:00
it 'does not allow ignoring user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_ignore_user?(another_user)).to eq(false)
FEATURE: Only allow TL2 Users to ignore other users (#7212)
2019-03-20 10:02:34 -04:00
end
end
FEATURE: Add site setting to restrict ignore feature to trust level (#11297) This adds a new min_trust_level_to_allow_ignore site setting that enables admins to control the point at which a user is allowed to ignore other users.
2020-11-20 13:05:20 -05:00
context "when ignorer's trust level is equal to min_trust_level_to_allow_ignore site setting" do
let(:guardian) { Guardian.new(trust_level_1) }
FIX: Staff should be allowed to ignore users (#7216)
2019-03-20 10:47:13 -04:00
it 'allows ignoring user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_ignore_user?(another_user)).to eq(true)
FIX: Staff should be allowed to ignore users (#7216)
2019-03-20 10:47:13 -04:00
end
end
FEATURE: Add site setting to restrict ignore feature to trust level (#11297) This adds a new min_trust_level_to_allow_ignore site setting that enables admins to control the point at which a user is allowed to ignore other users.
2020-11-20 13:05:20 -05:00
context "when ignorer's trust level is above min_trust_level_to_allow_ignore site setting" do
let(:guardian) { Guardian.new(trust_level_3) }
FEATURE: Only allow TL2 Users to ignore other users (#7212)
2019-03-20 10:02:34 -04:00
it 'allows ignoring user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_ignore_user?(another_user)).to eq(true)
FEATURE: Only allow TL2 Users to ignore other users (#7212)
2019-03-20 10:02:34 -04:00
end
end
[FEATURE] Disallow ignoring self, admins or moderators users (#7202)
2019-03-20 06:18:46 -04:00
end
FEATURE: Introducing new UI for changing User's notification levels (#7248) * FEATURE: Introducing new UI for tracking User's ignored or muted states
2019-03-27 05:41:50 -04:00
describe '#can_mute_user?' do
let(:guardian) { Guardian.new(trust_level_1) }
context "when muted user is the same as guardian user" do
it 'does not allow muting user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_mute_user?(trust_level_1)).to eq(false)
FEATURE: Introducing new UI for changing User's notification levels (#7248) * FEATURE: Introducing new UI for tracking User's ignored or muted states
2019-03-27 05:41:50 -04:00
end
end
context "when muted user is a staff user" do
let!(:admin) { Fabricate(:user, admin: true) }
it 'does not allow muting user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_mute_user?(admin)).to eq(false)
FEATURE: Introducing new UI for changing User's notification levels (#7248) * FEATURE: Introducing new UI for tracking User's ignored or muted states
2019-03-27 05:41:50 -04:00
end
end
context "when muted user is a normal user" do
it 'allows muting user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_mute_user?(another_user)).to eq(true)
FEATURE: Introducing new UI for changing User's notification levels (#7248) * FEATURE: Introducing new UI for tracking User's ignored or muted states
2019-03-27 05:41:50 -04:00
end
end
context "when muter's trust level is below tl1" do
let(:guardian) { Guardian.new(trust_level_0) }
let!(:trust_level_0) { build(:user, trust_level: 0) }
it 'does not allow muting user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_mute_user?(another_user)).to eq(false)
FEATURE: Introducing new UI for changing User's notification levels (#7248) * FEATURE: Introducing new UI for tracking User's ignored or muted states
2019-03-27 05:41:50 -04:00
end
end
context "when muter is staff" do
let(:guardian) { Guardian.new(admin) }
it 'allows muting user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_mute_user?(another_user)).to eq(true)
FEATURE: Introducing new UI for changing User's notification levels (#7248) * FEATURE: Introducing new UI for tracking User's ignored or muted states
2019-03-27 05:41:50 -04:00
end
end
context "when muters's trust level is tl1" do
let(:guardian) { Guardian.new(trust_level_1) }
it 'allows muting user' do
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 08:04:08 -05:00
expect(guardian.can_mute_user?(another_user)).to eq(true)
FEATURE: Introducing new UI for changing User's notification levels (#7248) * FEATURE: Introducing new UI for tracking User's ignored or muted states
2019-03-27 05:41:50 -04:00
end
end
end
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
describe "#allow_themes?" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
let!(:theme) { Fabricate(:theme) }
let!(:theme2) { Fabricate(:theme) }
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
2020-07-26 20:23:54 -04:00
context "allowlist mode" do
FEATURE: whitelist theme repo mode (experimental) In some restricted setups all JS payloads need tight control. This setting bans admins from making changes to JS on the site and requires all themes be whitelisted to be used. There are edge cases we still need to work through in this mode hence this is still not supported in production and experimental. Use an example like this to enable: `DISCOURSE_WHITELISTED_THEME_REPOS="https://repo.com/repo.git,https://repo.com/repo2.git"` By default this feature is not enabled and no changes are made. One exception is that default theme id was missing a security check this was added for correctness.
2020-06-02 23:19:42 -04:00
before do
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
2020-07-26 20:23:54 -04:00
global_setting :allowed_theme_repos, " https://magic.com/repo.git, https://x.com/git"
FEATURE: whitelist theme repo mode (experimental) In some restricted setups all JS payloads need tight control. This setting bans admins from making changes to JS on the site and requires all themes be whitelisted to be used. There are edge cases we still need to work through in this mode hence this is still not supported in production and experimental. Use an example like this to enable: `DISCOURSE_WHITELISTED_THEME_REPOS="https://repo.com/repo.git,https://repo.com/repo2.git"` By default this feature is not enabled and no changes are made. One exception is that default theme id was missing a security check this was added for correctness.
2020-06-02 23:19:42 -04:00
end
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
2020-07-26 20:23:54 -04:00
it "should respect theme allowlisting" do
FEATURE: whitelist theme repo mode (experimental) In some restricted setups all JS payloads need tight control. This setting bans admins from making changes to JS on the site and requires all themes be whitelisted to be used. There are edge cases we still need to work through in this mode hence this is still not supported in production and experimental. Use an example like this to enable: `DISCOURSE_WHITELISTED_THEME_REPOS="https://repo.com/repo.git,https://repo.com/repo2.git"` By default this feature is not enabled and no changes are made. One exception is that default theme id was missing a security check this was added for correctness.
2020-06-02 23:19:42 -04:00
r = RemoteTheme.create!(remote_url: "https://magic.com/repo.git")
theme.update!(remote_theme_id: r.id)
guardian = Guardian.new(admin)
expect(guardian.allow_themes?([theme.id, theme2.id], include_preview: true)).to eq(false)
expect(guardian.allow_themes?([theme.id], include_preview: true)).to eq(true)
expect(guardian.allowed_theme_repo_import?('https://x.com/git')).to eq(true)
expect(guardian.allowed_theme_repo_import?('https:/evil.com/git')).to eq(false)
end
end
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
it "allows staff to use any themes" do
FIX: check admin theme cookie against user selectable previously admin got a free pass and could set theme via cookie to anything including themes that are not selectable this refactor ensures that only "preview" gets a free pass, all the rest goes through the same pipeline
2018-09-06 20:44:57 -04:00
expect(Guardian.new(moderator).allow_themes?([theme.id, theme2.id])).to eq(false)
expect(Guardian.new(admin).allow_themes?([theme.id, theme2.id])).to eq(false)
expect(Guardian.new(moderator).allow_themes?([theme.id, theme2.id], include_preview: true)).to eq(true)
expect(Guardian.new(admin).allow_themes?([theme.id, theme2.id], include_preview: true)).to eq(true)
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
end
it "only allows normal users to use user-selectable themes or default theme" do
user_guardian = Guardian.new(user)
expect(user_guardian.allow_themes?([theme.id, theme2.id])).to eq(false)
expect(user_guardian.allow_themes?([theme.id])).to eq(false)
expect(user_guardian.allow_themes?([theme2.id])).to eq(false)
theme.set_default!
expect(user_guardian.allow_themes?([theme.id])).to eq(true)
expect(user_guardian.allow_themes?([theme2.id])).to eq(false)
expect(user_guardian.allow_themes?([theme.id, theme2.id])).to eq(false)
theme2.update!(user_selectable: true)
expect(user_guardian.allow_themes?([theme2.id])).to eq(true)
expect(user_guardian.allow_themes?([theme2.id, theme.id])).to eq(false)
end
it "allows child themes to be only used with their parent" do
user_guardian = Guardian.new(user)
theme.update!(user_selectable: true)
theme2.update!(user_selectable: true)
expect(user_guardian.allow_themes?([theme.id, theme2.id])).to eq(false)
FEATURE: themes and components split * FEATURE: themes and components split * two seperate methods to switch theme type * use strict equality operator
2018-08-23 21:30:00 -04:00
theme2.update!(user_selectable: false, component: true)
FEATURE: Ability to add components to all themes (#8404) * FEATURE: Ability to add components to all themes This is the first and functional step from that topic https://dev.discourse.org/t/adding-a-theme-component-is-too-much-work/15398/16 The idea here is that when a new component is added, the user can easily assign it to all themes (parents). To achieve that, I needed to change a site-setting component to accept `setDefaultValues` action and `setDefaultValuesLabel` translated label. Also, I needed to add `allowAny` option to disable that for theme selector. I also refactored backend to accept both parent and child ids with one method to avoid duplication (Renamed `add_child_theme!` to more general `add_relative_theme!`) * FIX: Improvement after code review * FIX: Improvement after code review2 * FIX: use mapBy and filterBy directly
2019-11-28 00:19:01 -05:00
theme.add_relative_theme!(:child, theme2)
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
expect(user_guardian.allow_themes?([theme.id, theme2.id])).to eq(true)
expect(user_guardian.allow_themes?([theme2.id])).to eq(false)
end
end
Wiki Post
2014-05-13 08:53:11 -04:00
describe 'can_wiki?' do
FIX: do not allow normal users to wiki edit-expired posts
2016-03-15 05:13:52 -04:00
let(:post) { build(:post, created_at: 1.minute.ago) }
FEATURE: allow users to wikify their own posts based on trust level
2016-01-11 10:26:00 -05:00
Wiki Post
2014-05-13 08:53:11 -04:00
it 'returns false for regular user' do
FEATURE: allow users to wikify their own posts based on trust level
2016-01-11 10:26:00 -05:00
expect(Guardian.new(coding_horror).can_wiki?(post)).to be_falsey
end
it "returns false when user does not satisfy trust level but owns the post" do
own_post = Fabricate(:post, user: trust_level_2)
expect(Guardian.new(trust_level_2).can_wiki?(own_post)).to be_falsey
end
it "returns false when user satisfies trust level but tries to wiki someone else's post" do
SiteSetting.min_trust_to_allow_self_wiki = 2
expect(Guardian.new(trust_level_2).can_wiki?(post)).to be_falsey
end
it 'returns true when user satisfies trust level and owns the post' do
SiteSetting.min_trust_to_allow_self_wiki = 2
own_post = Fabricate(:post, user: trust_level_2)
expect(Guardian.new(trust_level_2).can_wiki?(own_post)).to be_truthy
Wiki Post
2014-05-13 08:53:11 -04:00
end
it 'returns true for admin user' do
FEATURE: allow users to wikify their own posts based on trust level
2016-01-11 10:26:00 -05:00
expect(Guardian.new(admin).can_wiki?(post)).to be_truthy
Wiki Post
2014-05-13 08:53:11 -04:00
end
remove elder terminology in specs
2014-09-05 02:52:40 -04:00
it 'returns true for trust_level_4 user' do
FEATURE: allow users to wikify their own posts based on trust level
2016-01-11 10:26:00 -05:00
expect(Guardian.new(trust_level_4).can_wiki?(post)).to be_truthy
Wiki Post
2014-05-13 08:53:11 -04:00
end
FIX: do not allow normal users to wiki edit-expired posts
2016-03-15 05:13:52 -04:00
context 'post is older than post_edit_time_limit' do
let(:old_post) { build(:post, user: trust_level_2, created_at: 6.minutes.ago) }
before do
SiteSetting.min_trust_to_allow_self_wiki = 2
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
SiteSetting.tl2_post_edit_time_limit = 5
FIX: do not allow normal users to wiki edit-expired posts
2016-03-15 05:13:52 -04:00
end
it 'returns false when user satisfies trust level and owns the post' do
expect(Guardian.new(trust_level_2).can_wiki?(old_post)).to be_falsey
end
it 'returns true for admin user' do
expect(Guardian.new(admin).can_wiki?(old_post)).to be_truthy
end
it 'returns true for trust_level_4 user' do
expect(Guardian.new(trust_level_4).can_wiki?(post)).to be_truthy
end
end
Wiki Post
2014-05-13 08:53:11 -04:00
end
FEATURE: tag groups
2016-06-06 14:18:15 -04:00
describe "Tags" do
context "tagging disabled" do
before do
SiteSetting.tagging_enabled = false
end
it "can_create_tag returns false" do
expect(Guardian.new(admin).can_create_tag?).to be_falsey
end
it "can_admin_tags returns false" do
expect(Guardian.new(admin).can_admin_tags?).to be_falsey
end
it "can_admin_tag_groups returns false" do
expect(Guardian.new(admin).can_admin_tag_groups?).to be_falsey
end
end
context "tagging is enabled" do
before do
SiteSetting.tagging_enabled = true
SiteSetting.min_trust_level_to_tag_topics = 1
end
add specs for min_trust_to_create_tag set to staff and admin
2018-07-05 11:39:32 -04:00
context 'min_trust_to_create_tag is 3' do
before do
SiteSetting.min_trust_to_create_tag = 3
FEATURE: tag groups
2016-06-06 14:18:15 -04:00
end
add specs for min_trust_to_create_tag set to staff and admin
2018-07-05 11:39:32 -04:00
describe "can_create_tag" do
it "returns false if trust level is too low" do
expect(Guardian.new(trust_level_2).can_create_tag?).to be_falsey
end
it "returns true if trust level is high enough" do
expect(Guardian.new(trust_level_3).can_create_tag?).to be_truthy
end
it "returns true for staff" do
expect(Guardian.new(admin).can_create_tag?).to be_truthy
expect(Guardian.new(moderator).can_create_tag?).to be_truthy
end
FEATURE: tag groups
2016-06-06 14:18:15 -04:00
end
add specs for min_trust_to_create_tag set to staff and admin
2018-07-05 11:39:32 -04:00
describe "can_tag_topics" do
it "returns false if trust level is too low" do
expect(Guardian.new(Fabricate(:user, trust_level: 0)).can_tag_topics?).to be_falsey
end
it "returns true if trust level is high enough" do
expect(Guardian.new(Fabricate(:user, trust_level: 1)).can_tag_topics?).to be_truthy
end
it "returns true for staff" do
expect(Guardian.new(admin).can_tag_topics?).to be_truthy
expect(Guardian.new(moderator).can_tag_topics?).to be_truthy
end
end
end
context 'min_trust_to_create_tag is "staff"' do
before do
SiteSetting.min_trust_to_create_tag = 'staff'
end
it "returns false if not staff" do
expect(Guardian.new(trust_level_4).can_create_tag?).to eq(false)
end
it "returns true if staff" do
FEATURE: tag groups
2016-06-06 14:18:15 -04:00
expect(Guardian.new(admin).can_create_tag?).to be_truthy
expect(Guardian.new(moderator).can_create_tag?).to be_truthy
end
end
add specs for min_trust_to_create_tag set to staff and admin
2018-07-05 11:39:32 -04:00
context 'min_trust_to_create_tag is "admin"' do
before do
SiteSetting.min_trust_to_create_tag = 'admin'
FEATURE: tag groups
2016-06-06 14:18:15 -04:00
end
add specs for min_trust_to_create_tag set to staff and admin
2018-07-05 11:39:32 -04:00
it "returns false if not admin" do
expect(Guardian.new(trust_level_4).can_create_tag?).to eq(false)
expect(Guardian.new(moderator).can_create_tag?).to eq(false)
FEATURE: tag groups
2016-06-06 14:18:15 -04:00
end
add specs for min_trust_to_create_tag set to staff and admin
2018-07-05 11:39:32 -04:00
it "returns true if admin" do
expect(Guardian.new(admin).can_create_tag?).to be_truthy
FEATURE: tag groups
2016-06-06 14:18:15 -04:00
end
end
end
end
FEATURE: Allow posting a link with topics
2016-12-05 07:31:43 -05:00
FEATURE: add support for group visibility level There are 4 visibility levels - public (default) - members only - staff - owners Note, admins and group owners ALWAYS have visibility to groups Migration treated old "non public" as "members only"
2017-07-03 15:26:46 -04:00
describe(:can_see_group) do
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
it 'Correctly handles owner visible groups' do
FEATURE: add support for group visibility level There are 4 visibility levels - public (default) - members only - staff - owners Note, admins and group owners ALWAYS have visibility to groups Migration treated old "non public" as "members only"
2017-07-03 15:26:46 -04:00
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:owners])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
expect(Guardian.new(admin).can_see_group?(group)).to eq(true)
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
expect(Guardian.new(another_user).can_see_group?(group)).to eq(false)
FEATURE: add support for group visibility level There are 4 visibility levels - public (default) - members only - staff - owners Note, admins and group owners ALWAYS have visibility to groups Migration treated old "non public" as "members only"
2017-07-03 15:26:46 -04:00
expect(Guardian.new(moderator).can_see_group?(group)).to eq(false)
expect(Guardian.new(member).can_see_group?(group)).to eq(false)
expect(Guardian.new.can_see_group?(group)).to eq(false)
expect(Guardian.new(owner).can_see_group?(group)).to eq(true)
end
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
it 'Correctly handles staff visible groups' do
FEATURE: add support for group visibility level There are 4 visibility levels - public (default) - members only - staff - owners Note, admins and group owners ALWAYS have visibility to groups Migration treated old "non public" as "members only"
2017-07-03 15:26:46 -04:00
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:staff])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
expect(Guardian.new(another_user).can_see_group?(group)).to eq(false)
FEATURE: add support for group visibility level There are 4 visibility levels - public (default) - members only - staff - owners Note, admins and group owners ALWAYS have visibility to groups Migration treated old "non public" as "members only"
2017-07-03 15:26:46 -04:00
expect(Guardian.new(member).can_see_group?(group)).to eq(false)
expect(Guardian.new(admin).can_see_group?(group)).to eq(true)
expect(Guardian.new(moderator).can_see_group?(group)).to eq(true)
expect(Guardian.new(owner).can_see_group?(group)).to eq(true)
expect(Guardian.new.can_see_group?(group)).to eq(false)
end
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
it 'Correctly handles member visible groups' do
FEATURE: add support for group visibility level There are 4 visibility levels - public (default) - members only - staff - owners Note, admins and group owners ALWAYS have visibility to groups Migration treated old "non public" as "members only"
2017-07-03 15:26:46 -04:00
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:members])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
FIX: respect moderator group permissions in guardian (#10713) Since 9e4ed03, moderators can view groups with visibility level set to "Group owners, members and moderators". This fixes an issue where moderators can see the group in /g but then get a 404 when clicking on individual groups.
2020-09-21 12:32:43 -04:00
expect(Guardian.new(moderator).can_see_group?(group)).to eq(true)
FEATURE: add support for group visibility level There are 4 visibility levels - public (default) - members only - staff - owners Note, admins and group owners ALWAYS have visibility to groups Migration treated old "non public" as "members only"
2017-07-03 15:26:46 -04:00
expect(Guardian.new.can_see_group?(group)).to eq(false)
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
expect(Guardian.new(another_user).can_see_group?(group)).to eq(false)
FEATURE: add support for group visibility level There are 4 visibility levels - public (default) - members only - staff - owners Note, admins and group owners ALWAYS have visibility to groups Migration treated old "non public" as "members only"
2017-07-03 15:26:46 -04:00
expect(Guardian.new(admin).can_see_group?(group)).to eq(true)
expect(Guardian.new(member).can_see_group?(group)).to eq(true)
expect(Guardian.new(owner).can_see_group?(group)).to eq(true)
end
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
it 'Correctly handles logged-on-user visible groups' do
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:logged_on_users])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
expect(Guardian.new.can_see_group?(group)).to eq(false)
expect(Guardian.new(moderator).can_see_group?(group)).to eq(true)
expect(Guardian.new(admin).can_see_group?(group)).to eq(true)
expect(Guardian.new(member).can_see_group?(group)).to eq(true)
expect(Guardian.new(owner).can_see_group?(group)).to eq(true)
expect(Guardian.new(another_user).can_see_group?(group)).to eq(true)
end
FEATURE: add support for group visibility level There are 4 visibility levels - public (default) - members only - staff - owners Note, admins and group owners ALWAYS have visibility to groups Migration treated old "non public" as "members only"
2017-07-03 15:26:46 -04:00
it 'Correctly handles public groups' do
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:public])
expect(Guardian.new.can_see_group?(group)).to eq(true)
end
end
FEATURE: add support for group members visibility level (#8004) There are 5 visibility levels (similar to group visibility) public (default) logged-in users members only staff owners Admins & group owners always have visibility to group members.
2019-08-14 09:30:04 -04:00
describe(:can_see_group_members) do
it 'Correctly handles group members visibility for owner' do
group = Group.new(name: 'group', members_visibility_level: Group.visibility_levels[:owners])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
expect(Guardian.new(admin).can_see_group_members?(group)).to eq(true)
expect(Guardian.new(another_user).can_see_group_members?(group)).to eq(false)
expect(Guardian.new(moderator).can_see_group_members?(group)).to eq(false)
expect(Guardian.new(member).can_see_group_members?(group)).to eq(false)
expect(Guardian.new.can_see_group_members?(group)).to eq(false)
expect(Guardian.new(owner).can_see_group_members?(group)).to eq(true)
end
it 'Correctly handles group members visibility for staff' do
group = Group.new(name: 'group', members_visibility_level: Group.visibility_levels[:staff])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
expect(Guardian.new(another_user).can_see_group_members?(group)).to eq(false)
expect(Guardian.new(member).can_see_group_members?(group)).to eq(false)
expect(Guardian.new(admin).can_see_group_members?(group)).to eq(true)
expect(Guardian.new(moderator).can_see_group_members?(group)).to eq(true)
expect(Guardian.new(owner).can_see_group_members?(group)).to eq(true)
expect(Guardian.new.can_see_group_members?(group)).to eq(false)
end
it 'Correctly handles group members visibility for member' do
group = Group.new(name: 'group', members_visibility_level: Group.visibility_levels[:members])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
FIX: respect moderator group permissions in guardian (#10713) Since 9e4ed03, moderators can view groups with visibility level set to "Group owners, members and moderators". This fixes an issue where moderators can see the group in /g but then get a 404 when clicking on individual groups.
2020-09-21 12:32:43 -04:00
expect(Guardian.new(moderator).can_see_group_members?(group)).to eq(true)
FEATURE: add support for group members visibility level (#8004) There are 5 visibility levels (similar to group visibility) public (default) logged-in users members only staff owners Admins & group owners always have visibility to group members.
2019-08-14 09:30:04 -04:00
expect(Guardian.new.can_see_group_members?(group)).to eq(false)
expect(Guardian.new(another_user).can_see_group_members?(group)).to eq(false)
expect(Guardian.new(admin).can_see_group_members?(group)).to eq(true)
expect(Guardian.new(member).can_see_group_members?(group)).to eq(true)
expect(Guardian.new(owner).can_see_group_members?(group)).to eq(true)
end
it 'Correctly handles group members visibility for logged-on-user' do
group = Group.new(name: 'group', members_visibility_level: Group.visibility_levels[:logged_on_users])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
expect(Guardian.new.can_see_group_members?(group)).to eq(false)
expect(Guardian.new(moderator).can_see_group_members?(group)).to eq(true)
expect(Guardian.new(admin).can_see_group_members?(group)).to eq(true)
expect(Guardian.new(member).can_see_group_members?(group)).to eq(true)
expect(Guardian.new(owner).can_see_group_members?(group)).to eq(true)
expect(Guardian.new(another_user).can_see_group_members?(group)).to eq(true)
end
it 'Correctly handles group members visibility for public' do
group = Group.new(name: 'group', members_visibility_level: Group.visibility_levels[:public])
expect(Guardian.new.can_see_group_members?(group)).to eq(true)
end
end
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
describe '#can_see_groups?' do
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
it 'correctly handles owner visible groups' do
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:owners])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
expect(Guardian.new(admin).can_see_groups?([group])).to eq(true)
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
expect(Guardian.new(another_user).can_see_groups?([group])).to eq(false)
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
expect(Guardian.new(moderator).can_see_groups?([group])).to eq(false)
expect(Guardian.new(member).can_see_groups?([group])).to eq(false)
expect(Guardian.new.can_see_groups?([group])).to eq(false)
expect(Guardian.new(owner).can_see_groups?([group])).to eq(true)
end
it 'correctly handles the case where the user does not own every group' do
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:owners])
group2 = Group.new(name: 'group2', visibility_level: Group.visibility_levels[:owners])
group2.save!
group.add(member)
group.save!
group.add_owner(owner)
group.reload
expect(Guardian.new(admin).can_see_groups?([group, group2])).to eq(true)
expect(Guardian.new(moderator).can_see_groups?([group, group2])).to eq(false)
expect(Guardian.new(member).can_see_groups?([group, group2])).to eq(false)
expect(Guardian.new.can_see_groups?([group, group2])).to eq(false)
expect(Guardian.new(owner).can_see_groups?([group, group2])).to eq(false)
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
expect(Guardian.new(another_user).can_see_groups?([group, group2])).to eq(false)
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
end
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
it 'correctly handles staff visible groups' do
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:staff])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
expect(Guardian.new(member).can_see_groups?([group])).to eq(false)
expect(Guardian.new(admin).can_see_groups?([group])).to eq(true)
expect(Guardian.new(moderator).can_see_groups?([group])).to eq(true)
expect(Guardian.new(owner).can_see_groups?([group])).to eq(true)
expect(Guardian.new.can_see_groups?([group])).to eq(false)
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
expect(Guardian.new(another_user).can_see_groups?([group])).to eq(false)
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
end
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
it 'correctly handles member visible groups' do
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:members])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
expect(Guardian.new(another_user).can_see_groups?([group])).to eq(false)
FIX: respect moderator group permissions in guardian (#10713) Since 9e4ed03, moderators can view groups with visibility level set to "Group owners, members and moderators". This fixes an issue where moderators can see the group in /g but then get a 404 when clicking on individual groups.
2020-09-21 12:32:43 -04:00
expect(Guardian.new(moderator).can_see_groups?([group])).to eq(true)
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
expect(Guardian.new.can_see_groups?([group])).to eq(false)
expect(Guardian.new(admin).can_see_groups?([group])).to eq(true)
expect(Guardian.new(member).can_see_groups?([group])).to eq(true)
expect(Guardian.new(owner).can_see_groups?([group])).to eq(true)
end
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
it 'correctly handles logged-on-user visible groups' do
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:logged_on_users])
group.add(member)
group.save!
group.add_owner(owner)
group.reload
expect(Guardian.new(member).can_see_groups?([group])).to eq(true)
expect(Guardian.new(admin).can_see_groups?([group])).to eq(true)
expect(Guardian.new(moderator).can_see_groups?([group])).to eq(true)
expect(Guardian.new(owner).can_see_groups?([group])).to eq(true)
expect(Guardian.new.can_see_groups?([group])).to eq(false)
expect(Guardian.new(another_user).can_see_groups?([group])).to eq(true)
end
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
it 'correctly handles the case where the user is not a member of every group' do
group1 = Group.new(name: 'group', visibility_level: Group.visibility_levels[:members])
group2 = Group.new(name: 'group2', visibility_level: Group.visibility_levels[:members])
group2.save!
group1.add(member)
group1.save!
group1.add_owner(owner)
group1.reload
FIX: respect moderator group permissions in guardian (#10713) Since 9e4ed03, moderators can view groups with visibility level set to "Group owners, members and moderators". This fixes an issue where moderators can see the group in /g but then get a 404 when clicking on individual groups.
2020-09-21 12:32:43 -04:00
expect(Guardian.new(moderator).can_see_groups?([group1, group2])).to eq(true)
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
expect(Guardian.new.can_see_groups?([group1, group2])).to eq(false)
expect(Guardian.new(admin).can_see_groups?([group1, group2])).to eq(true)
expect(Guardian.new(member).can_see_groups?([group1, group2])).to eq(false)
expect(Guardian.new(owner).can_see_groups?([group1, group2])).to eq(false)
end
it 'correctly handles public groups' do
group = Group.new(name: 'group', visibility_level: Group.visibility_levels[:public])
expect(Guardian.new.can_see_groups?([group])).to eq(true)
end
FEATURE: Add new group visibility option for "logged on users" (#7814) Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
it 'correctly handles case where not every group is public' do
New: can_see_groups? method for better perf
2019-05-29 18:40:43 -04:00
group1 = Group.new(name: 'group', visibility_level: Group.visibility_levels[:public])
group2 = Group.new(name: 'group', visibility_level: Group.visibility_levels[:private])
expect(Guardian.new.can_see_groups?([group1, group2])).to eq(false)
end
end
FEATURE: Allow posting a link with topics
2016-12-05 07:31:43 -05:00
context 'topic featured link category restriction' do
before { SiteSetting.topic_featured_link_enabled = true }
FEATURE: Disallow putting urls in the title for TL-0 users (#13947) This disallows putting URLs in topic titles for TL0 users, which means that: If a TL-0 user puts a link into the title, a topic featured link won't be generated (as if it was disabled in the site settings) Server methods for creating and updating topics will be refusing featured links when they are called by TL-0 users TL-0 users won't be able to put any link into the topic title. For example, the title "Hey, take a look at https://my-site.com" will be rejected. Also, it improves a bit server behavior when creating or updating feature links on topics in the categories with disabled featured links. Before the server just silently ignored a featured link field that was passed to him, now it will be returning 422 response.
2021-08-05 05:38:39 -04:00
let(:guardian) { Guardian.new(user) }
FIX: uncategorized setting to control whether topic featured links are allowed
2016-12-20 15:55:30 -05:00
let(:uncategorized) { Category.find(SiteSetting.uncategorized_category_id) }
FEATURE: Allow posting a link with topics
2016-12-05 07:31:43 -05:00
Topic Featured Links: move data from custom fields to topics and categories tables. Invert behaviour of topic_featured_link_allowed checkbox. Fix a bug with invalid topic records due to changing that category checkbox.
2016-12-15 17:46:43 -05:00
context "uncategorized" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:link_category) { Fabricate(:link_category) }
Topic Featured Links: move data from custom fields to topics and categories tables. Invert behaviour of topic_featured_link_allowed checkbox. Fix a bug with invalid topic records due to changing that category checkbox.
2016-12-15 17:46:43 -05:00
FIX: uncategorized setting to control whether topic featured links are allowed
2016-12-20 15:55:30 -05:00
it "allows featured links if uncategorized allows it" do
uncategorized.topic_featured_link_allowed = true
uncategorized.save!
Topic Featured Links: move data from custom fields to topics and categories tables. Invert behaviour of topic_featured_link_allowed checkbox. Fix a bug with invalid topic records due to changing that category checkbox.
2016-12-15 17:46:43 -05:00
expect(guardian.can_edit_featured_link?(nil)).to eq(true)
end
FIX: uncategorized setting to control whether topic featured links are allowed
2016-12-20 15:55:30 -05:00
it "forbids featured links if uncategorized forbids it" do
uncategorized.topic_featured_link_allowed = false
uncategorized.save!
Topic Featured Links: move data from custom fields to topics and categories tables. Invert behaviour of topic_featured_link_allowed checkbox. Fix a bug with invalid topic records due to changing that category checkbox.
2016-12-15 17:46:43 -05:00
expect(guardian.can_edit_featured_link?(nil)).to eq(false)
end
FEATURE: Allow posting a link with topics
2016-12-05 07:31:43 -05:00
end
context 'when exist' do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:category) { Fabricate(:category, topic_featured_link_allowed: false) }
fab!(:link_category) { Fabricate(:link_category) }
FEATURE: Allow posting a link with topics
2016-12-05 07:31:43 -05:00
it 'returns true if the category is listed' do
expect(guardian.can_edit_featured_link?(link_category.id)).to eq(true)
end
Topic Featured Links: move data from custom fields to topics and categories tables. Invert behaviour of topic_featured_link_allowed checkbox. Fix a bug with invalid topic records due to changing that category checkbox.
2016-12-15 17:46:43 -05:00
it 'returns false if the category does not allow it' do
FEATURE: Allow posting a link with topics
2016-12-05 07:31:43 -05:00
expect(guardian.can_edit_featured_link?(category.id)).to eq(false)
end
end
end
FEATURE: Site Setting to hide suspension reason on the public profile
2017-09-12 16:06:01 -04:00
context "suspension reasons" do
it "will be shown by default" do
expect(Guardian.new.can_see_suspension_reason?(user)).to eq(true)
end
context "with hide suspension reason enabled" do
before do
SiteSetting.hide_suspension_reasons = true
end
it "will not be shown to anonymous users" do
expect(Guardian.new.can_see_suspension_reason?(user)).to eq(false)
end
it "users can see their own suspensions" do
expect(Guardian.new(user).can_see_suspension_reason?(user)).to eq(true)
end
it "staff can see suspensions" do
expect(Guardian.new(moderator).can_see_suspension_reason?(user)).to eq(true)
end
end
end
FEATURE: Allow user to leave a PM.
2017-10-10 04:26:56 -04:00
describe '#can_remove_allowed_users?' do
context 'staff users' do
it 'should be true' do
expect(Guardian.new(moderator).can_remove_allowed_users?(topic))
.to eq(true)
end
end
FIX: allows PM owner to remove any user if >= TL2 (#10036)
2020-06-12 06:54:28 -04:00
context 'trust_level >= 2 user' do
fab!(:topic_creator) { build(:user, trust_level: 2) }
fab!(:topic) { Fabricate(:topic, user: topic_creator) }
before do
topic.allowed_users << topic_creator
topic.allowed_users << another_user
end
it 'should be true' do
expect(Guardian.new(topic_creator).can_remove_allowed_users?(topic))
.to eq(true)
end
end
FEATURE: Allow user to leave a PM.
2017-10-10 04:26:56 -04:00
context 'normal user' do
FIX: allows PM owner to remove any user if >= TL2 (#10036)
2020-06-12 06:54:28 -04:00
fab!(:topic) { Fabricate(:topic, user: Fabricate(:user, trust_level: 1)) }
FEATURE: Allow user to leave a PM.
2017-10-10 04:26:56 -04:00
before do
topic.allowed_users << user
topic.allowed_users << another_user
end
it 'should be false' do
expect(Guardian.new(user).can_remove_allowed_users?(topic))
.to eq(false)
end
describe 'target_user is the user' do
describe 'when user is in a pm with another user' do
it 'should return true' do
expect(Guardian.new(user).can_remove_allowed_users?(topic, user))
.to eq(true)
end
end
describe 'when user is the creator of the topic' do
it 'should return false' do
expect(Guardian.new(topic.user).can_remove_allowed_users?(topic, topic.user))
.to eq(false)
end
end
describe 'when user is the only user in the topic' do
it 'should return false' do
topic.remove_allowed_user(Discourse.system_user, another_user.username)
expect(Guardian.new(user).can_remove_allowed_users?(topic, user))
.to eq(false)
end
end
end
describe 'target_user is not the user' do
it 'should return false' do
expect(Guardian.new(user).can_remove_allowed_users?(topic, moderator))
.to eq(false)
end
end
end
FIX: Guardian#can_remove_allowed_users? shouldn't break for ownerless topics A topic can outlive its original author. TopicGuardian should still work in this situation.
2020-06-19 05:04:05 -04:00
context "anonymous users" do
fab!(:topic) { Fabricate(:topic) }
it 'should be false' do
expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
end
it 'should be false when the topic does not have a user (for example because the user was removed)' do
DB.exec("UPDATE topics SET user_id=NULL WHERE id=#{topic.id}")
topic.reload
expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
end
end
FEATURE: Allow user to leave a PM.
2017-10-10 04:26:56 -04:00
end
FIX: Do not allow revoking the token of current session. (#6472) * FIX: Do not allow revoking the token of current session. * DEV: Add getter of current auth_token from Guardian.
2018-10-11 19:40:48 -04:00
describe '#auth_token' do
it 'returns the correct auth token' do
token = UserAuthToken.generate!(user_id: user.id)
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
cookie = create_auth_cookie(
token: token.unhashed_auth_token,
user_id: user.id,
trust_level: user.trust_level,
issued_at: 5.minutes.ago,
)
env = create_request_env(path: "/").merge("HTTP_COOKIE" => "_t=#{cookie};")
guardian = Guardian.new(user, ActionDispatch::Request.new(env))
expect(guardian.auth_token).to eq(token.auth_token)
end
it 'supports v0 of auth cookie' do
token = UserAuthToken.generate!(user_id: user.id)
cookie = token.unhashed_auth_token
env = create_request_env(path: "/").merge("HTTP_COOKIE" => "_t=#{cookie};")
FIX: Do not allow revoking the token of current session. (#6472) * FIX: Do not allow revoking the token of current session. * DEV: Add getter of current auth_token from Guardian.
2018-10-11 19:40:48 -04:00
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
guardian = Guardian.new(user, ActionDispatch::Request.new(env))
FIX: Do not allow revoking the token of current session. (#6472) * FIX: Do not allow revoking the token of current session. * DEV: Add getter of current auth_token from Guardian.
2018-10-11 19:40:48 -04:00
expect(guardian.auth_token).to eq(token.auth_token)
end
end
FEATURE: Support for publishing topics as pages (#9364) If the feature is enabled, staff members can construct a URL and publish a topic for others to browse without the regular Discourse chrome. This is useful if you want to use Discourse like a CMS and publish topics as articles, which can then be embedded into other systems.
2020-04-08 12:52:36 -04:00
describe "can_publish_page?" do
context "when disabled" do
it "is false for staff" do
expect(Guardian.new(admin).can_publish_page?(topic)).to eq(false)
end
end
context "when enabled" do
before do
SiteSetting.enable_page_publishing = true
end
it "is false for anonymous users" do
expect(Guardian.new.can_publish_page?(topic)).to eq(false)
end
it "is false for regular users" do
expect(Guardian.new(user).can_publish_page?(topic)).to eq(false)
end
it "is true for staff" do
expect(Guardian.new(moderator).can_publish_page?(topic)).to eq(true)
expect(Guardian.new(admin).can_publish_page?(topic)).to eq(true)
end
it "is false if the topic is a private message" do
post = Fabricate(:private_message_post, user: admin)
expect(Guardian.new(admin).can_publish_page?(post.topic)).to eq(false)
end
FIX: Do not enable published page if secure media enabled (#11131) There are issues around displaying images on published pages when secure media is enabled. This PR temporarily makes it appear as if published pages are enabled if secure media is also enabled.
2020-11-05 19:33:19 -05:00
context "when secure_media is also enabled" do
before do
setup_s3
SiteSetting.secure_media = true
end
it "is false for everyone" do
expect(Guardian.new(moderator).can_publish_page?(topic)).to eq(false)
expect(Guardian.new(user).can_publish_page?(topic)).to eq(false)
expect(Guardian.new.can_publish_page?(topic)).to eq(false)
expect(Guardian.new(admin).can_publish_page?(topic)).to eq(false)
end
end
FEATURE: Support for publishing topics as pages (#9364) If the feature is enabled, staff members can construct a URL and publish a topic for others to browse without the regular Discourse chrome. This is useful if you want to use Discourse like a CMS and publish topics as articles, which can then be embedded into other systems.
2020-04-08 12:52:36 -04:00
end
end
FIX: do not include contact url & email in client site settings payload (#13004)
2021-05-19 02:15:24 -04:00
describe "can_see_site_contact_details" do
context "login_required is enabled" do
before do
SiteSetting.login_required = true
end
it "is false for anonymous users" do
expect(Guardian.new.can_see_site_contact_details?).to eq(false)
end
it "is true for regular users" do
expect(Guardian.new(user).can_see_site_contact_details?).to eq(true)
end
end
context "login_required is disabled" do
before do
SiteSetting.login_required = false
end
it "is true for anonymous users" do
expect(Guardian.new.can_see_site_contact_details?).to eq(true)
end
it "is true for regular users" do
expect(Guardian.new(user).can_see_site_contact_details?).to eq(true)
end
end
end
FEATURE: Mention @here to notify users in topic (#14900) Use @here to mention all users that were allowed to topic directly or through group, who liked topics or read the topic. Only first 10 users will be notified.
2021-11-23 15:25:54 -05:00
describe "#can_mention_here?" do
it 'returns false if disabled' do
SiteSetting.max_here_mentioned = 0
expect(admin.guardian.can_mention_here?).to eq(false)
end
it 'returns false if disabled' do
SiteSetting.here_mention = ''
expect(admin.guardian.can_mention_here?).to eq(false)
end
it 'works with trust levels' do
SiteSetting.min_trust_level_for_here_mention = 2
expect(trust_level_0.guardian.can_mention_here?).to eq(false)
expect(trust_level_1.guardian.can_mention_here?).to eq(false)
expect(trust_level_2.guardian.can_mention_here?).to eq(true)
expect(trust_level_3.guardian.can_mention_here?).to eq(true)
expect(trust_level_4.guardian.can_mention_here?).to eq(true)
expect(moderator.guardian.can_mention_here?).to eq(true)
expect(admin.guardian.can_mention_here?).to eq(true)
end
it 'works with staff' do
SiteSetting.min_trust_level_for_here_mention = 'staff'
expect(trust_level_4.guardian.can_mention_here?).to eq(false)
expect(moderator.guardian.can_mention_here?).to eq(true)
expect(admin.guardian.can_mention_here?).to eq(true)
end
it 'works with admin' do
SiteSetting.min_trust_level_for_here_mention = 'admin'
expect(trust_level_4.guardian.can_mention_here?).to eq(false)
expect(moderator.guardian.can_mention_here?).to eq(false)
expect(admin.guardian.can_mention_here?).to eq(true)
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end