Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

security fix, anon should not be treated as though they can create anything

This commit is contained in:
Sam 2013-10-13 09:54:48 +11:00
parent e5fbdde56f
commit 7df4e4afb9
2 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
app/models/category.rb
View File

@ -50,11 +50,19 @@ class Category < ActiveRecord::Base
} }
scope :topic_create_allowed, ->(guardian) { scope :topic_create_allowed, ->(guardian) {
scoped_to_permissions(guardian, [:full]) if guardian.anonymous?
where("1=0")
else
scoped_to_permissions(guardian, [:full])
end
} }
scope :post_create_allowed, ->(guardian) { scope :post_create_allowed, ->(guardian) {
scoped_to_permissions(guardian, [:create_post, :full]) if guardian.anonymous?
where("1=0")
else
scoped_to_permissions(guardian, [:create_post, :full])
end
} }
delegate :post_template, to: 'self.class' delegate :post_template, to: 'self.class'

9
spec/models/category_spec.rb
View File

@ -67,14 +67,15 @@ describe Category do
can_post_category.save can_post_category.save
Category.post_create_allowed(guardian).count.should == 3 Category.post_create_allowed(guardian).count.should == 3
# anonymous has permission to create no topics
guardian = Guardian.new(nil)
Category.post_create_allowed(guardian).count.should == 0
end end
end end
describe "post_create_allowed" do
end
describe "security" do describe "security" do
let(:category) { Fabricate(:category) } let(:category) { Fabricate(:category) }
let(:category_2) { Fabricate(:category) } let(:category_2) { Fabricate(:category) }