DEV: Only allow expanding hidden posts for author and staff (#21052)
This commit is contained in:
parent
9cc1b6a959
commit
02625d1edd
|
@ -497,7 +497,10 @@ createWidget("post-contents", {
|
||||||
|
|
||||||
result = result.concat(applyDecorators(this, "after-cooked", attrs, state));
|
result = result.concat(applyDecorators(this, "after-cooked", attrs, state));
|
||||||
|
|
||||||
if (attrs.cooked_hidden) {
|
if (
|
||||||
|
attrs.cooked_hidden &&
|
||||||
|
(this.currentUser?.isLeader || attrs.user_id === this.currentUser?.id)
|
||||||
|
) {
|
||||||
result.push(this.attach("expand-hidden", attrs));
|
result.push(this.attach("expand-hidden", attrs));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -269,7 +269,10 @@ module PostGuardian
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
return true if is_moderator? || is_category_group_moderator?(post.topic.category)
|
return true if is_moderator? || is_category_group_moderator?(post.topic.category)
|
||||||
return true if !post.trashed? || can_see_deleted_post?(post)
|
if (!post.trashed? || can_see_deleted_post?(post)) &&
|
||||||
|
(!post.hidden? || can_see_hidden_post?(post))
|
||||||
|
return true
|
||||||
|
end
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -280,6 +283,11 @@ module PostGuardian
|
||||||
post.deleted_by_id == @user.id && @user.has_trust_level?(TrustLevel[4])
|
post.deleted_by_id == @user.id && @user.has_trust_level?(TrustLevel[4])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def can_see_hidden_post?(post)
|
||||||
|
return false if anonymous?
|
||||||
|
post.user_id == @user.id || @user.has_trust_level_or_staff?(TrustLevel[4])
|
||||||
|
end
|
||||||
|
|
||||||
def can_view_edit_history?(post)
|
def can_view_edit_history?(post)
|
||||||
return false unless post
|
return false unless post
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
RSpec.describe PostGuardian do
|
||||||
|
fab!(:user) { Fabricate(:user) }
|
||||||
|
fab!(:anon) { Fabricate(:anonymous) }
|
||||||
|
fab!(:admin) { Fabricate(:admin) }
|
||||||
|
fab!(:tl3_user) { Fabricate(:trust_level_3) }
|
||||||
|
fab!(:tl4_user) { Fabricate(:trust_level_4) }
|
||||||
|
fab!(:moderator) { Fabricate(:moderator) }
|
||||||
|
fab!(:category) { Fabricate(:category) }
|
||||||
|
fab!(:topic) { Fabricate(:topic, category: category) }
|
||||||
|
fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true) }
|
||||||
|
|
||||||
|
describe "#can_see_hidden_post?" do
|
||||||
|
it "returns false for anonymous users" do
|
||||||
|
expect(Guardian.new(anon).can_see_hidden_post?(hidden_post)).to eq(false)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns false for TL3 users" do
|
||||||
|
expect(Guardian.new(tl3_user).can_see_hidden_post?(hidden_post)).to eq(false)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns true for TL4 users" do
|
||||||
|
expect(Guardian.new(tl4_user).can_see_hidden_post?(hidden_post)).to eq(true)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns true for staff users" do
|
||||||
|
expect(Guardian.new(moderator).can_see_hidden_post?(hidden_post)).to eq(true)
|
||||||
|
expect(Guardian.new(admin).can_see_hidden_post?(hidden_post)).to eq(true)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -1992,7 +1992,7 @@ RSpec.describe PostsController do
|
||||||
it "throws an exception for users" do
|
it "throws an exception for users" do
|
||||||
sign_in(user)
|
sign_in(user)
|
||||||
get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
|
get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
|
||||||
expect(response.status).to eq(404)
|
expect(response.status).to eq(403)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "works for admins" do
|
it "works for admins" do
|
||||||
|
|
Loading…
Reference in New Issue