BUGFIX: make sure moderators can't view topics they aren't allowed to

2014-02-07 07:08:56 -08:00 · 2014-02-07 07:08:56 -08:00 · cef2d8dc82
parent cfa5882035
commit cef2d8dc82
2 changed files with 6 additions and 4 deletions
--- a/lib/topic_query.rb
+++ b/lib/topic_query.rb
@ -265,7 +265,7 @@ class TopicQuery
      end

      guardian = Guardian.new(@user)
-      unless guardian.is_staff?
+      if !guardian.is_admin?
        allowed_ids = guardian.allowed_category_ids
        if allowed_ids.length > 0
          result = result.where('topics.category_id IS NULL or topics.category_id IN (?)', allowed_ids)
--- a/spec/components/topic_query_spec.rb
+++ b/spec/components/topic_query_spec.rb
@ -8,7 +8,7 @@ describe TopicQuery do
  let(:topic_query) { TopicQuery.new(user) }

  let(:moderator) { Fabricate(:moderator) }
-  let(:admin) { Fabricate(:moderator) }
+  let(:admin) { Fabricate(:admin) }


  context 'secure category' do
@ -27,8 +27,10 @@ describe TopicQuery do
      Topic.top_viewed(10).count.should == 0
      Topic.recent(10).count.should == 0

-      # mods can see every group and hidden topics
-      TopicQuery.new(moderator).list_latest.topics.count.should == 2
+      # mods can see hidden topics
+      TopicQuery.new(moderator).list_latest.topics.count.should == 1
+      # admins can see all the topics
+      TopicQuery.new(admin).list_latest.topics.count.should == 2

      group.add(user)
      group.save