security fix, anon should not be treated as though they can create anything

2013-10-13 09:54:48 +11:00 · 2013-10-13 09:54:48 +11:00 · 7df4e4afb9
parent e5fbdde56f
commit 7df4e4afb9
2 changed files with 15 additions and 6 deletions
--- a/app/models/category.rb
+++ b/app/models/category.rb
@ -50,11 +50,19 @@ class Category < ActiveRecord::Base
  }

  scope :topic_create_allowed, ->(guardian) {
-    scoped_to_permissions(guardian, [:full])
+    if guardian.anonymous?
+      where("1=0")
+    else
+      scoped_to_permissions(guardian, [:full])
+    end
  }

  scope :post_create_allowed, ->(guardian) {
-    scoped_to_permissions(guardian, [:create_post, :full])
+    if guardian.anonymous?
+      where("1=0")
+    else
+      scoped_to_permissions(guardian, [:create_post, :full])
+    end
  }
  delegate :post_template, to: 'self.class'

--- a/spec/models/category_spec.rb
+++ b/spec/models/category_spec.rb
@ -67,14 +67,15 @@ describe Category do
      can_post_category.save

      Category.post_create_allowed(guardian).count.should == 3
+
+      # anonymous has permission to create no topics
+      guardian = Guardian.new(nil)
+      Category.post_create_allowed(guardian).count.should == 0
+
    end

  end

-  describe "post_create_allowed" do
-
-  end
-
  describe "security" do
    let(:category) { Fabricate(:category) }
    let(:category_2) { Fabricate(:category) }