security fix, anon should not be treated as though they can create anything

app/models/category.rb

@@ -50,11 +50,19 @@ class Category < ActiveRecord::Base
   }
 
   scope :topic_create_allowed, ->(guardian) {
+    if guardian.anonymous?
+      where("1=0")
+    else
       scoped_to_permissions(guardian, [:full])
+    end
   }
 
   scope :post_create_allowed, ->(guardian) {
+    if guardian.anonymous?
+      where("1=0")
+    else
       scoped_to_permissions(guardian, [:create_post, :full])
+    end
   }
   delegate :post_template, to: 'self.class'
 

spec/models/category_spec.rb

@@ -67,12 +67,13 @@ describe Category do
       can_post_category.save
 
       Category.post_create_allowed(guardian).count.should == 3
-    end
+
+      # anonymous has permission to create no topics
+      guardian = Guardian.new(nil)
+      Category.post_create_allowed(guardian).count.should == 0
 
     end
 
-  describe "post_create_allowed" do
-
   end
 
   describe "security" do