FIX: users can see the raw email source of their own posts
This commit is contained in:
parent
fe541891fc
commit
a036ac7bdc
|
@ -31,8 +31,8 @@ class PostsController < ApplicationController
|
|||
end
|
||||
|
||||
def raw_email
|
||||
guardian.ensure_can_view_raw_email!
|
||||
post = Post.find(params[:id].to_i)
|
||||
guardian.ensure_can_view_raw_email!(post)
|
||||
render json: {raw_email: post.raw_email}
|
||||
end
|
||||
|
||||
|
|
|
@ -180,8 +180,8 @@ module PostGuardian
|
|||
is_staff?
|
||||
end
|
||||
|
||||
def can_view_raw_email?
|
||||
is_staff?
|
||||
def can_view_raw_email?(post)
|
||||
post && (is_staff? || post.user_id == @user.id)
|
||||
end
|
||||
|
||||
def can_unhide?(post)
|
||||
|
|
|
@ -72,8 +72,8 @@ describe PostsController do
|
|||
include_examples "action requires login", :get, :raw_email, id: 2
|
||||
|
||||
describe "when logged in" do
|
||||
let(:user) {log_in}
|
||||
let(:post) {Fabricate(:post, user: user, raw_email: 'email_content')}
|
||||
let(:user) { log_in }
|
||||
let(:post) { Fabricate(:post, user: user, raw_email: 'email_content') }
|
||||
|
||||
it "raises an error if the user doesn't have permission to view raw email" do
|
||||
Guardian.any_instance.expects(:can_view_raw_email?).returns(false)
|
||||
|
@ -90,7 +90,6 @@ describe PostsController do
|
|||
|
||||
response.should be_success
|
||||
json = ::JSON.parse(response.body)
|
||||
json.should be_present
|
||||
json['raw_email'].should == 'email_content'
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue