FIX: users can see the raw email source of their own posts

2014-11-12 14:49:42 +01:00 · 2014-11-12 14:49:42 +01:00 · a036ac7bdc
parent fe541891fc
commit a036ac7bdc
3 changed files with 5 additions and 6 deletions
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -31,8 +31,8 @@ class PostsController < ApplicationController
  end

  def raw_email
-    guardian.ensure_can_view_raw_email!
    post = Post.find(params[:id].to_i)
+    guardian.ensure_can_view_raw_email!(post)
    render json: {raw_email: post.raw_email}
  end

--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@ -180,8 +180,8 @@ module PostGuardian
    is_staff?
  end

-  def can_view_raw_email?
-    is_staff?
+  def can_view_raw_email?(post)
+    post && (is_staff? || post.user_id == @user.id)
  end

  def can_unhide?(post)
--- a/spec/controllers/posts_controller_spec.rb
+++ b/spec/controllers/posts_controller_spec.rb
@ -90,7 +90,6 @@ describe PostsController do

        response.should be_success
        json = ::JSON.parse(response.body)
-        json.should be_present
        json['raw_email'].should == 'email_content'
      end