From 3e32393ab631905146eea8934fc53c5adc5413d2 Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@techapj.com>
Date: Tue, 15 Mar 2016 14:43:52 +0530
Subject: [PATCH] FIX: do not allow normal users to wiki edit-expired posts

---
 lib/guardian/post_guardian.rb    |  9 ++++++++-
 spec/components/guardian_spec.rb | 22 +++++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb
index 8635bc6c1f7..9c07db3380d 100644
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@@ -175,7 +175,14 @@ module PostGuardian
 
   def can_wiki?(post)
     return false unless authenticated?
-    is_staff? || @user.has_trust_level?(TrustLevel[4]) || (@user.has_trust_level?(SiteSetting.min_trust_to_allow_self_wiki) && is_my_own?(post))
+    return true if is_staff? || @user.has_trust_level?(TrustLevel[4])
+
+    if @user.has_trust_level?(SiteSetting.min_trust_to_allow_self_wiki) && is_my_own?(post)
+      return false if post.hidden?
+      return !post.edit_time_limit_expired?
+    end
+
+    false
   end
 
   def can_change_post_type?
diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb
index 7951409e001..59dd7bdc215 100644
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@@ -2098,7 +2098,7 @@ describe Guardian do
   end
 
   describe 'can_wiki?' do
-    let(:post) { build(:post) }
+    let(:post) { build(:post, created_at: 1.minute.ago) }
 
     it 'returns false for regular user' do
       expect(Guardian.new(coding_horror).can_wiki?(post)).to be_falsey
@@ -2127,5 +2127,25 @@ describe Guardian do
     it 'returns true for trust_level_4 user' do
       expect(Guardian.new(trust_level_4).can_wiki?(post)).to be_truthy
     end
+
+    context 'post is older than post_edit_time_limit' do
+      let(:old_post) { build(:post, user: trust_level_2, created_at: 6.minutes.ago) }
+      before do
+        SiteSetting.min_trust_to_allow_self_wiki = 2
+        SiteSetting.post_edit_time_limit = 5
+      end
+
+      it 'returns false when user satisfies trust level and owns the post' do
+        expect(Guardian.new(trust_level_2).can_wiki?(old_post)).to be_falsey
+      end
+
+      it 'returns true for admin user' do
+        expect(Guardian.new(admin).can_wiki?(old_post)).to be_truthy
+      end
+
+      it 'returns true for trust_level_4 user' do
+        expect(Guardian.new(trust_level_4).can_wiki?(post)).to be_truthy
+      end
+    end
   end
 end