Can clear flags on deleted posts if you're a moderator

2013-02-08 19:04:14 -05:00 · 2013-02-08 19:04:14 -05:00 · 03a798b202
parent ea631e75c9
commit 03a798b202
6 changed files with 90 additions and 11 deletions
--- a/app/controllers/post_actions_controller.rb
+++ b/app/controllers/post_actions_controller.rb
@ -52,7 +52,7 @@ class PostActionsController < ApplicationController

  def clear_flags
    requires_parameter(:post_action_type_id)
-    raise Discourse::InvalidAccess unless guardian.is_admin?
+    guardian.ensure_can_clear_flags!(@post)

    PostAction.clear_flags!(@post, current_user.id, params[:post_action_type_id].to_i)
    @post.reload
@ -69,7 +69,12 @@ class PostActionsController < ApplicationController

    def fetch_post_from_params
      requires_parameter(:id)
-      @post = Post.where(id: params[:id]).first
+      finder = Post.where(id: params[:id])
+
+      # Include deleted posts if the user is a moderator
+      finder = finder.with_deleted if current_user.try(:has_trust_level?, :moderator)      
+
+      @post = finder.first
      guardian.ensure_can_see!(@post)
    end
 end
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -65,8 +65,6 @@ class PostsController < ApplicationController

  def show
    @post = find_post_from_params
-    guardian.ensure_can_see!(@post)
-
    @post.revert_to(params[:version].to_i) if params[:version].present?
    post_serializer = PostSerializer.new(@post, scope: guardian, root: false)
    post_serializer.add_raw = true
@ -109,22 +107,18 @@ class PostsController < ApplicationController
  # Retrieves a list of versions and who made them for a post
  def versions
    post = find_post_from_params
-    guardian.ensure_can_see!(post)
-
    render_serialized(post.all_versions, VersionSerializer)
  end

  # Direct replies to this post
  def replies
    post = find_post_from_params
-    guardian.ensure_can_see!(post)
    render_serialized(post.replies, PostSerializer)
  end


  def bookmark
    post = find_post_from_params
-    guardian.ensure_can_see!(post)
    if current_user
      if params[:bookmarked] == "true"
        PostAction.act(current_user, post, PostActionType.Types[:bookmark])
@ -144,6 +138,8 @@ class PostsController < ApplicationController
      # Include deleted posts if the user is a moderator
      finder = finder.with_deleted if current_user.try(:has_trust_level?, :moderator)      

-      finder.first
+      post = finder.first
+      guardian.ensure_can_see!(post)
+      post
    end    
 end
--- a/app/models/post_action.rb
+++ b/app/models/post_action.rb
@ -66,7 +66,7 @@ class PostAction < ActiveRecord::Base
    r = PostActionType.Types.invert
    f = actions.map{|t| ["#{r[t]}_count", 0]}

-    Post.update_all(Hash[*f.flatten], id: post.id)
+    Post.with_deleted.update_all(Hash[*f.flatten], id: post.id)

    update_flagged_posts_count
  end
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -109,6 +109,12 @@ class Guardian
    true
  end

+  def can_clear_flags?(post)
+    return false if @user.blank?
+    return false if post.blank?
+    @user.has_trust_level?(:moderator)
+  end
+
  def can_revoke_admin?(admin)
    return false unless @user.try(:admin?)
    return false if admin.blank?
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -68,6 +68,29 @@ describe Guardian do
  end


+  describe "can_clear_flags" do    
+    let(:post) { Fabricate(:post) }
+    let(:user) { post.user }
+    let(:moderator) { Fabricate(:moderator) }
+
+    it "returns false when the user is nil" do
+      Guardian.new(nil).can_clear_flags?(post).should be_false
+    end
+
+    it "returns false when the post is nil" do
+      Guardian.new(moderator).can_clear_flags?(nil).should be_false
+    end
+
+    it "returns false when the user is not a moderator" do
+      Guardian.new(user).can_clear_flags?(post).should be_false
+    end
+
+    it "returns true when the user is a moderator" do
+      Guardian.new(moderator).can_clear_flags?(post).should be_true
+    end
+
+  end
+
  describe 'can_send_private_message' do
    let(:user) { Fabricate(:user) }
    let(:another_user) { Fabricate(:user) }
--- a/spec/controllers/post_actions_controller_spec.rb
+++ b/spec/controllers/post_actions_controller_spec.rb
@ -85,6 +85,55 @@ describe PostActionsController do

  end

+  context 'clear_flags' do
+
+    let(:flagged_post) { Fabricate(:post, user: Fabricate(:coding_horror)) }
+
+    context "not logged in" do
+      it "should not allow them to clear flags" do
+        lambda { xhr :post, :clear_flags }.should raise_error(Discourse::NotLoggedIn)
+      end      
+    end
+
+    context 'logged in' do
+      let!(:user) { log_in(:moderator) }
+
+      it "raises an error without a post_action_type_id" do
+        -> { xhr :post, :clear_flags, id: flagged_post.id }.should raise_error(Discourse::InvalidParameters)
+      end
+
+      it "raises an error when the user doesn't have access" do
+        Guardian.any_instance.expects(:can_clear_flags?).returns(false) 
+        xhr :post, :clear_flags, id: flagged_post.id, post_action_type_id: PostActionType.Types[:spam]
+        response.should be_forbidden
+      end
+
+      context "success" do
+        before do
+          Guardian.any_instance.expects(:can_clear_flags?).returns(true) 
+          PostAction.expects(:clear_flags!).with(flagged_post, user.id, PostActionType.Types[:spam])
+        end
+
+        it "delegates to clear_flags" do        
+          xhr :post, :clear_flags, id: flagged_post.id, post_action_type_id: PostActionType.Types[:spam]
+          response.should be_success
+        end    
+
+        it "works with a deleted post" do
+          flagged_post.destroy
+          xhr :post, :clear_flags, id: flagged_post.id, post_action_type_id: PostActionType.Types[:spam]
+          response.should be_success
+        end
+
+
+      end
+
+    end
+
+
+
+  end
+


  describe 'users' do