FIX: use reviewer's guardian permissions to create post/topic while approve. (#19710)

We previously used post creator's guardian permissions which will raise an error if the reviewer added a staff-only (restricted) tag.

Co-authored-by: Natalie Tay <natalie.tay@discourse.org>
This commit is contained in:
Vinoth Kannan 2023-01-05 19:31:37 +05:30 committed by GitHub
parent d5491b13f5
commit 7ecf4d12a9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 4 deletions

View File

@ -74,13 +74,15 @@ class ReviewableQueuedPost < Reviewable
def perform_approve_post(performed_by, args) def perform_approve_post(performed_by, args)
created_post = nil created_post = nil
opts = create_options.merge(
creator = PostCreator.new(created_by, create_options.merge(
skip_validations: true, skip_validations: true,
skip_jobs: true, skip_jobs: true,
skip_events: true, skip_events: true,
skip_guardian: true skip_guardian: true
)) )
opts.merge!(guardian: Guardian.new(performed_by)) if performed_by.staff?
creator = PostCreator.new(created_by, opts)
created_post = creator.create created_post = creator.create
unless created_post && creator.errors.blank? unless created_post && creator.errors.blank?

View File

@ -180,7 +180,21 @@ RSpec.describe ReviewableQueuedPost, type: :model do
expect(Post.count).to eq(post_count + 1) expect(Post.count).to eq(post_count + 1)
end end
it "creates the post and topic when rejected" do it "creates a topic with staff tag when approved" do
hidden_tag = Fabricate(:tag)
staff_tag_group = Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [hidden_tag.name])
reviewable.payload['tags'] += [hidden_tag.name]
result = reviewable.perform(moderator, :approve_post)
expect(result.success?).to eq(true)
expect(result.created_post_topic).to be_present
expect(result.created_post_topic).to be_valid
expect(reviewable.topic_id).to eq(result.created_post_topic.id)
expect(result.created_post_topic.tags.pluck(:name)).to match_array(reviewable.payload['tags'])
end
it "does not create the post and topic when rejected" do
topic_count, post_count = Topic.count, Post.count topic_count, post_count = Topic.count, Post.count
result = reviewable.perform(moderator, :reject_post) result = reviewable.perform(moderator, :reject_post)