FIX: do not allow normal users to wiki edit-expired posts

This commit is contained in:
Arpit Jalan 2016-03-15 14:43:52 +05:30
parent 177294f930
commit 3e32393ab6
2 changed files with 29 additions and 2 deletions

View File

@ -175,7 +175,14 @@ module PostGuardian
def can_wiki?(post)
return false unless authenticated?
is_staff? || @user.has_trust_level?(TrustLevel[4]) || (@user.has_trust_level?(SiteSetting.min_trust_to_allow_self_wiki) && is_my_own?(post))
return true if is_staff? || @user.has_trust_level?(TrustLevel[4])
if @user.has_trust_level?(SiteSetting.min_trust_to_allow_self_wiki) && is_my_own?(post)
return false if post.hidden?
return !post.edit_time_limit_expired?
end
false
end
def can_change_post_type?

View File

@ -2098,7 +2098,7 @@ describe Guardian do
end
describe 'can_wiki?' do
let(:post) { build(:post) }
let(:post) { build(:post, created_at: 1.minute.ago) }
it 'returns false for regular user' do
expect(Guardian.new(coding_horror).can_wiki?(post)).to be_falsey
@ -2127,5 +2127,25 @@ describe Guardian do
it 'returns true for trust_level_4 user' do
expect(Guardian.new(trust_level_4).can_wiki?(post)).to be_truthy
end
context 'post is older than post_edit_time_limit' do
let(:old_post) { build(:post, user: trust_level_2, created_at: 6.minutes.ago) }
before do
SiteSetting.min_trust_to_allow_self_wiki = 2
SiteSetting.post_edit_time_limit = 5
end
it 'returns false when user satisfies trust level and owns the post' do
expect(Guardian.new(trust_level_2).can_wiki?(old_post)).to be_falsey
end
it 'returns true for admin user' do
expect(Guardian.new(admin).can_wiki?(old_post)).to be_truthy
end
it 'returns true for trust_level_4 user' do
expect(Guardian.new(trust_level_4).can_wiki?(post)).to be_truthy
end
end
end
end