FIX: users can see the raw email source of their own posts

This commit is contained in:
Régis Hanol 2014-11-12 14:49:42 +01:00
parent fe541891fc
commit a036ac7bdc
3 changed files with 5 additions and 6 deletions

View File

@ -31,8 +31,8 @@ class PostsController < ApplicationController
end
def raw_email
guardian.ensure_can_view_raw_email!
post = Post.find(params[:id].to_i)
guardian.ensure_can_view_raw_email!(post)
render json: {raw_email: post.raw_email}
end

View File

@ -180,8 +180,8 @@ module PostGuardian
is_staff?
end
def can_view_raw_email?
is_staff?
def can_view_raw_email?(post)
post && (is_staff? || post.user_id == @user.id)
end
def can_unhide?(post)

View File

@ -72,8 +72,8 @@ describe PostsController do
include_examples "action requires login", :get, :raw_email, id: 2
describe "when logged in" do
let(:user) {log_in}
let(:post) {Fabricate(:post, user: user, raw_email: 'email_content')}
let(:user) { log_in }
let(:post) { Fabricate(:post, user: user, raw_email: 'email_content') }
it "raises an error if the user doesn't have permission to view raw email" do
Guardian.any_instance.expects(:can_view_raw_email?).returns(false)
@ -90,7 +90,6 @@ describe PostsController do
response.should be_success
json = ::JSON.parse(response.body)
json.should be_present
json['raw_email'].should == 'email_content'
end