FIX: Restrict changing ownership to one topic

2016-06-17 14:14:52 -04:00 · 2016-06-17 14:14:52 -04:00 · 83e46cc302
parent 612e084595
commit 83e46cc302
2 changed files with 12 additions and 1 deletions
--- a/app/services/post_owner_changer.rb
+++ b/app/services/post_owner_changer.rb
@ -12,7 +12,8 @@ class PostOwnerChanger
  def change_owner!
    ActiveRecord::Base.transaction do
      @post_ids.each do |post_id|
-        post = Post.with_deleted.find(post_id)
+        post = Post.with_deleted.where(id: post_id, topic_id: @topic.id).first
+        next if post.blank?
        @topic.user = @new_owner if post.is_first_post?

        if post.user == nil
--- a/spec/services/post_owner_changer_spec.rb
+++ b/spec/services/post_owner_changer_spec.rb
@ -7,6 +7,7 @@ describe PostOwnerChanger do
    let(:user_a) { Fabricate(:user) }
    let(:p1) { Fabricate(:post, topic_id: topic.id) }
    let(:p2) { Fabricate(:post, topic_id: topic.id) }
+    let(:p3) { Fabricate(:post) }

    it "raises an error with a parameter missing" do
      expect {
@ -41,6 +42,15 @@ describe PostOwnerChanger do
      expect(p1.user).to eq(p2.user)
    end

+    it "ignores posts in other topics" do
+      described_class.new(post_ids: [p1.id, p3.id], topic_id: topic.id, new_owner: user_a, acting_user: editor).change_owner!
+      p1.reload; p3.reload
+      expect(p1.user).to eq(user_a)
+
+      expect(p3.topic_id).not_to eq(p1.topic_id)
+      expect(p2.user).not_to eq(user_a)
+    end
+
    context "integration tests" do
      let(:p1user) { p1.user }
      let(:p2user) { p2.user }