From dfdc54957cab9f5ad0ae696b91930293d20fa2b5 Mon Sep 17 00:00:00 2001 From: Guo Xiang Tan Date: Mon, 20 Jun 2016 15:41:17 +0800 Subject: [PATCH] FIX: A blocked user should not be able to moderate anything. --- lib/guardian.rb | 9 +++++++-- spec/components/guardian_spec.rb | 8 ++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/lib/guardian.rb b/lib/guardian.rb index 1be5533c5b8..8f4593943c8 100644 --- a/lib/guardian.rb +++ b/lib/guardian.rb @@ -25,6 +25,7 @@ class Guardian def moderator?; false; end def approved?; false; end def staged?; false; end + def blocked?; false; end def secure_category_ids; []; end def topic_create_allowed_category_ids; []; end def has_trust_level?(level); false; end @@ -62,6 +63,10 @@ class Guardian @user.moderator? end + def is_blocked? + @user.blocked? + end + def is_developer? @user && is_admin? && @@ -112,7 +117,7 @@ class Guardian end def can_moderate?(obj) - obj && authenticated? && (is_staff? || (obj.is_a?(Topic) && @user.has_trust_level?(TrustLevel[4]))) + obj && authenticated? && !is_blocked? && (is_staff? || (obj.is_a?(Topic) && @user.has_trust_level?(TrustLevel[4]))) end alias :can_move_posts? :can_moderate? alias :can_see_flags? :can_moderate? @@ -269,7 +274,7 @@ class Guardian # Can't send PMs to suspended users (is_staff? || target.is_a?(Group) || !target.suspended?) && # Blocked users can only send PM to staff - (!@user.blocked? || target.staff?) + (!is_blocked? || target.staff?) end def can_see_emails? diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb index 3346b97aa3f..35f9108eb77 100644 --- a/spec/components/guardian_spec.rb +++ b/spec/components/guardian_spec.rb @@ -1208,6 +1208,14 @@ describe Guardian do expect(Guardian.new(user).can_moderate?(nil)).to be_falsey end + context 'when user is blocked' do + it 'returns false' do + user.toggle!(:blocked) + expect(Guardian.new(user).can_moderate?(post)).to be(false) + expect(Guardian.new(user).can_moderate?(topic)).to be(false) + end + end + context 'a Topic' do it 'returns false when not logged in' do