From 0f8b4dcc86eb8f3d93d3dd4d0ac81ff4013c3aef Mon Sep 17 00:00:00 2001 From: Neil Lalonde Date: Wed, 1 Jun 2016 15:41:56 -0400 Subject: [PATCH] FIX: trust level 3 should not be able to edit topics in categories that restrict them from doing so --- lib/guardian/topic_guardian.rb | 3 +++ spec/components/guardian_spec.rb | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/lib/guardian/topic_guardian.rb b/lib/guardian/topic_guardian.rb index d766af64e85..007b77db4c1 100644 --- a/lib/guardian/topic_guardian.rb +++ b/lib/guardian/topic_guardian.rb @@ -36,6 +36,9 @@ module TopicGuardian return true if is_admin? return true if is_moderator? && can_create_post?(topic) + # can't edit topics in secured categories where you don't have permission to create topics + return false if !can_create_topic_on_category?(topic.category) + # TL4 users can edit archived topics, but can not edit private messages return true if (topic.archived && !topic.private_message? && user.has_trust_level?(TrustLevel[4]) && can_create_post?(topic)) diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb index 13fbd297add..1f130d4da49 100644 --- a/spec/components/guardian_spec.rb +++ b/spec/components/guardian_spec.rb @@ -1086,6 +1086,15 @@ describe Guardian do expect(Guardian.new(moderator).can_edit?(post)).to eq(false) expect(Guardian.new(moderator).can_edit?(topic)).to eq(false) end + + it "returns false for trust level 3 if category is secured" do + topic.category.set_permissions(everyone: :create_post, staff: :full) + topic.category.save + + expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false) + expect(Guardian.new(admin).can_edit?(topic)).to eq(true) + expect(Guardian.new(moderator).can_edit?(topic)).to eq(true) + end end context 'private message' do