FIX: Allow only groups with flairs to be selected (#13744)

It used the same permission check as for primary groups which is
wrong because not all groups that can be primary have a flair.
This commit is contained in:
Bianca Nenciu 2021-07-21 14:41:04 +03:00 committed by GitHub
parent d9faae483d
commit 4da0a33524
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 1 deletions

View File

@ -124,7 +124,7 @@ class UserUpdater
if attributes[:flair_group_id] &&
attributes[:flair_group_id] != user.flair_group_id &&
(attributes[:flair_group_id].blank? ||
guardian.can_use_primary_group?(user, attributes[:flair_group_id]))
guardian.can_use_flair_group?(user, attributes[:flair_group_id]))
user.flair_group_id = attributes[:flair_group_id]
end

View File

@ -323,6 +323,12 @@ class Guardian
(group ? !group.automatic : false)
end
def can_use_flair_group?(user, group_id = nil)
return false if !user || !group_id || !user.group_ids.include?(group_id.to_i)
flair_icon, flair_upload_id = Group.where(id: group_id.to_i).pluck_first(:flair_icon, :flair_upload_id)
flair_icon.present? || flair_upload_id.present?
end
def can_change_primary_group?(user)
user && is_staff?
end

View File

@ -2692,6 +2692,33 @@ describe Guardian do
end
end
describe 'can_use_flair_group?' do
fab!(:group) { Fabricate(:group, title: 'Groupie', flair_icon: 'icon') }
it 'is false without a logged in user' do
expect(Guardian.new(nil).can_use_flair_group?(user)).to eq(false)
end
it 'is false if the group does not exist' do
expect(Guardian.new(user).can_use_flair_group?(user, nil)).to eq(false)
expect(Guardian.new(user).can_use_flair_group?(user, Group.last.id + 1)).to eq(false)
end
it 'is false if the user is not a part of the group' do
expect(Guardian.new(user).can_use_flair_group?(user, group.id)).to eq(false)
end
it 'is false if the group does not have a flair' do
group.update(flair_icon: nil)
expect(Guardian.new(user).can_use_flair_group?(user, group.id)).to eq(false)
end
it 'is true if the user is a part of the group and the group has a flair' do
user.update(groups: [group])
expect(Guardian.new(user).can_use_flair_group?(user, group.id)).to eq(true)
end
end
describe 'can_change_trust_level?' do
it 'is false without a logged in user' do