FIX: allows PM owner to remove any user if >= TL2 (#10036)

2020-06-12 12:54:28 +02:00 · 2020-06-12 12:54:28 +02:00 · 4b793a1072
parent 7211394e4d
commit 4b793a1072
2 changed files with 17 additions and 1 deletions
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@ -5,6 +5,7 @@ module TopicGuardian

  def can_remove_allowed_users?(topic, target_user = nil)
    is_staff? ||
+    (topic.user == user && user.has_trust_level?(TrustLevel[2])) ||
    (
      topic.allowed_users.count > 1 &&
      topic.user != target_user &&
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -3446,8 +3446,23 @@ describe Guardian do
      end
    end

+    context 'trust_level >= 2 user' do
+      fab!(:topic_creator) { build(:user, trust_level: 2) }
+      fab!(:topic) { Fabricate(:topic, user: topic_creator) }
+
+      before do
+        topic.allowed_users << topic_creator
+        topic.allowed_users << another_user
+      end
+
+      it 'should be true' do
+        expect(Guardian.new(topic_creator).can_remove_allowed_users?(topic))
+          .to eq(true)
+      end
+    end
+
    context 'normal user' do
-      fab!(:topic) { Fabricate(:topic, user: Fabricate(:user)) }
+      fab!(:topic) { Fabricate(:topic, user: Fabricate(:user, trust_level: 1)) }

      before do
        topic.allowed_users << user