FIX: trust level 3 should not be able to edit topics in categories that restrict them from doing so

This commit is contained in:
Neil Lalonde 2016-06-01 15:41:56 -04:00
parent 672220c6d2
commit 0f8b4dcc86
2 changed files with 12 additions and 0 deletions

View File

@ -36,6 +36,9 @@ module TopicGuardian
return true if is_admin?
return true if is_moderator? && can_create_post?(topic)
# can't edit topics in secured categories where you don't have permission to create topics
return false if !can_create_topic_on_category?(topic.category)
# TL4 users can edit archived topics, but can not edit private messages
return true if (topic.archived && !topic.private_message? && user.has_trust_level?(TrustLevel[4]) && can_create_post?(topic))

View File

@ -1086,6 +1086,15 @@ describe Guardian do
expect(Guardian.new(moderator).can_edit?(post)).to eq(false)
expect(Guardian.new(moderator).can_edit?(topic)).to eq(false)
end
it "returns false for trust level 3 if category is secured" do
topic.category.set_permissions(everyone: :create_post, staff: :full)
topic.category.save
expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false)
expect(Guardian.new(admin).can_edit?(topic)).to eq(true)
expect(Guardian.new(moderator).can_edit?(topic)).to eq(true)
end
end
context 'private message' do