FIX: only staff can banner topics

2019-04-02 12:38:15 +05:30 · 2019-04-02 12:38:15 +05:30 · d68d29f37a
parent d85240335b
commit d68d29f37a
4 changed files with 40 additions and 34 deletions
--- a/app/assets/javascripts/discourse/templates/modal/feature-topic.hbs
+++ b/app/assets/javascripts/discourse/templates/modal/feature-topic.hbs
@ -110,6 +110,7 @@
      </div>
    </div>
  {{/if}}
+  {{#if currentUser.staff}}
    <hr>
    <div class="feature-section">
      <div class="desc">
@ -141,6 +142,7 @@
        </p>
      </div>
    </div>
+  {{/if}}
 {{/d-modal-body}}
 <div class="modal-footer">
  {{d-modal-cancel close=(route-action "closeModal")}}
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -408,7 +408,7 @@ class TopicsController < ApplicationController

  def make_banner
    topic = Topic.find_by(id: params[:topic_id].to_i)
-    guardian.ensure_can_moderate!(topic)
+    guardian.ensure_can_banner_topic!(topic)

    topic.make_banner!(current_user)

@ -417,7 +417,7 @@ class TopicsController < ApplicationController

  def remove_banner
    topic = Topic.find_by(id: params[:topic_id].to_i)
-    guardian.ensure_can_moderate!(topic)
+    guardian.ensure_can_banner_topic!(topic)

    topic.remove_banner!(current_user)

--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@ -154,4 +154,8 @@ module TopicGuardian
  def can_update_bumped_at?
    is_staff? || @user.has_trust_level?(TrustLevel[4])
  end
+
+  def can_banner_topic?(topic)
+    authenticated? && !topic.private_message? && is_staff?
+  end
 end
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@ -1907,8 +1907,8 @@ RSpec.describe TopicsController do

  describe '#make_banner' do
    it 'needs you to be a staff member' do
-      sign_in(Fabricate(:user))
-      put "/t/99/make-banner.json"
+      topic = Fabricate(:topic, user: sign_in(Fabricate(:trust_level_4)))
+      put "/t/#{topic.id}/make-banner.json"
      expect(response).to be_forbidden
    end

@ -1926,8 +1926,8 @@ RSpec.describe TopicsController do

  describe '#remove_banner' do
    it 'needs you to be a staff member' do
-      sign_in(Fabricate(:user))
-      put "/t/99/remove-banner.json"
+      topic = Fabricate(:topic, user: sign_in(Fabricate(:trust_level_4)), archetype: Archetype.banner)
+      put "/t/#{topic.id}/remove-banner.json"
      expect(response).to be_forbidden
    end