FIX: restrict moderators from creating/editing topics in readonly categories
In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
This commit is contained in:
parent
6688dce2b8
commit
8ba57c0ffd
|
@ -90,7 +90,7 @@ class Category < ActiveRecord::Base
|
|||
end
|
||||
|
||||
def self.scoped_to_permissions(guardian, permission_types)
|
||||
if guardian && guardian.is_staff?
|
||||
if guardian && guardian.is_admin?
|
||||
all
|
||||
elsif !guardian || guardian.anonymous?
|
||||
if permission_types.include?(:readonly)
|
||||
|
|
|
@ -73,6 +73,7 @@ module PostGuardian
|
|||
|
||||
# Creating Method
|
||||
def can_create_post?(parent)
|
||||
|
||||
(!SpamRule::AutoBlock.block?(@user) || (!!parent.try(:private_message?) && parent.allowed_users.include?(@user))) && (
|
||||
!parent ||
|
||||
!parent.category ||
|
||||
|
@ -86,8 +87,10 @@ module PostGuardian
|
|||
return false
|
||||
end
|
||||
|
||||
return true if is_admin?
|
||||
|
||||
if is_staff? || @user.has_trust_level?(TrustLevel[4])
|
||||
return true
|
||||
return can_create_post?(post.topic)
|
||||
end
|
||||
|
||||
if post.topic.archived? || post.user_deleted || post.deleted_at
|
||||
|
|
|
@ -21,17 +21,24 @@ module TopicGuardian
|
|||
def can_create_post_on_topic?(topic)
|
||||
# No users can create posts on deleted topics
|
||||
return false if topic.trashed?
|
||||
return true if is_admin?
|
||||
|
||||
is_staff? || (authenticated? && user.has_trust_level?(TrustLevel[4])) || (not(topic.closed? || topic.archived? || topic.trashed?) && can_create_post?(topic))
|
||||
trusted = (authenticated? && user.has_trust_level?(TrustLevel[4])) || is_moderator?
|
||||
|
||||
(!(topic.closed? || topic.archived?) || trusted) && can_create_post?(topic)
|
||||
end
|
||||
|
||||
# Editing Method
|
||||
def can_edit_topic?(topic)
|
||||
return false if Discourse.static_doc_topic_ids.include?(topic.id) && !is_admin?
|
||||
return false unless can_see?(topic)
|
||||
return true if is_staff?
|
||||
|
||||
return true if is_admin?
|
||||
return true if is_moderator? && can_create_post?(topic)
|
||||
|
||||
# TL4 users can edit archived topics, but can not edit private messages
|
||||
return true if (topic.archived && !topic.private_message? && user.has_trust_level?(TrustLevel[4]) && can_create_post?(topic))
|
||||
|
||||
# TL3 users can not edit archived topics and private messages
|
||||
return true if (!topic.archived && !topic.private_message? && user.has_trust_level?(TrustLevel[3]) && can_create_post?(topic))
|
||||
|
||||
|
|
|
@ -621,6 +621,14 @@ describe Guardian do
|
|||
end
|
||||
|
||||
describe 'a Topic' do
|
||||
it 'does not allow moderators to create topics in readonly categories' do
|
||||
category = Fabricate(:category)
|
||||
category.set_permissions(:everyone => :read)
|
||||
category.save
|
||||
|
||||
expect(Guardian.new(moderator).can_create?(Topic,category)).to be_falsey
|
||||
end
|
||||
|
||||
it 'should check for full permissions' do
|
||||
category = Fabricate(:category)
|
||||
category.set_permissions(:everyone => :create_post)
|
||||
|
@ -655,6 +663,7 @@ describe Guardian do
|
|||
category.save
|
||||
|
||||
expect(Guardian.new(topic.user).can_create?(Post, topic)).to be_falsey
|
||||
expect(Guardian.new(moderator).can_create?(Post, topic)).to be_falsey
|
||||
end
|
||||
|
||||
it "is false when not logged in" do
|
||||
|
@ -1042,6 +1051,11 @@ describe Guardian do
|
|||
topic.category.save
|
||||
|
||||
expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false)
|
||||
|
||||
expect(Guardian.new(admin).can_edit?(topic)).to eq(true)
|
||||
|
||||
expect(Guardian.new(moderator).can_edit?(post)).to eq(false)
|
||||
expect(Guardian.new(moderator).can_edit?(topic)).to eq(false)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue