FIX: moderators can't see private topics that they aren't invited to see.
This commit is contained in:
parent
447cfa8dfe
commit
e68e97d986
|
@ -96,9 +96,15 @@ class PostAction < ActiveRecord::Base
|
||||||
|
|
||||||
return unless opts[:message] && [:notify_moderators, :notify_user].include?(post_action_type)
|
return unless opts[:message] && [:notify_moderators, :notify_user].include?(post_action_type)
|
||||||
|
|
||||||
# this is a hack to allow a PM with no reciepients, we should think through
|
target_usernames = if post_action_type == :notify_user
|
||||||
# a cleaner technique, a PM with myself is valid for flagging
|
post.user.username
|
||||||
target_usernames = post_action_type == :notify_user ? post.user.username : "x"
|
elsif post_action_type == :notify_moderators
|
||||||
|
User.moderators.pluck(:username)
|
||||||
|
else
|
||||||
|
# this is a hack to allow a PM with no reciepients, we should think through
|
||||||
|
# a cleaner technique, a PM with myself is valid for flagging
|
||||||
|
'x'
|
||||||
|
end
|
||||||
|
|
||||||
title = I18n.t("post_action_types.#{post_action_type}.email_title",
|
title = I18n.t("post_action_types.#{post_action_type}.email_title",
|
||||||
title: post.topic.title)
|
title: post.topic.title)
|
||||||
|
|
|
@ -46,7 +46,7 @@ module TopicGuardian
|
||||||
|
|
||||||
def can_see_topic?(topic)
|
def can_see_topic?(topic)
|
||||||
return false unless topic
|
return false unless topic
|
||||||
return true if is_staff?
|
return true if is_admin?
|
||||||
return false if topic.deleted_at
|
return false if topic.deleted_at
|
||||||
|
|
||||||
# NOTE
|
# NOTE
|
||||||
|
@ -56,7 +56,7 @@ module TopicGuardian
|
||||||
# not secure, or I can see it
|
# not secure, or I can see it
|
||||||
(not(topic.read_restricted_category?) || can_see_category?(topic.category)) &&
|
(not(topic.read_restricted_category?) || can_see_category?(topic.category)) &&
|
||||||
# not private, or I am allowed (or is staff)
|
# not private, or I am allowed (or is staff)
|
||||||
(not(topic.private_message?) || (authenticated? && (is_staff? || topic.all_allowed_users.where(id: @user.id).exists?)))
|
(not(topic.private_message?) || (authenticated? && (is_admin? || topic.all_allowed_users.where(id: @user.id).exists?)))
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -301,6 +301,15 @@ describe Guardian do
|
||||||
|
|
||||||
Guardian.new(user).can_see?(topic).should be_true
|
Guardian.new(user).can_see?(topic).should be_true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "restricts private topics" do
|
||||||
|
user.save!
|
||||||
|
private_topic = Fabricate(:private_message_topic, user: user)
|
||||||
|
Guardian.new(private_topic.user).can_see?(private_topic).should be_true
|
||||||
|
Guardian.new(build(:user)).can_see?(private_topic).should be_false
|
||||||
|
Guardian.new(moderator).can_see?(private_topic).should be_false
|
||||||
|
Guardian.new(admin).can_see?(private_topic).should be_true
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'a Post' do
|
describe 'a Post' do
|
||||||
|
|
|
@ -338,13 +338,13 @@ describe PostCreator do
|
||||||
unrelated.notifications.count.should == 0
|
unrelated.notifications.count.should == 0
|
||||||
post.topic.subtype.should == TopicSubtype.user_to_user
|
post.topic.subtype.should == TopicSubtype.user_to_user
|
||||||
|
|
||||||
# if a mod replies they should be added to the allowed user list
|
# if an admin replies they should be added to the allowed user list
|
||||||
mod = Fabricate(:moderator)
|
admin = Fabricate(:admin)
|
||||||
PostCreator.create(mod, raw: 'hi there welcome topic, I am a mod',
|
PostCreator.create(admin, raw: 'hi there welcome topic, I am a mod',
|
||||||
topic_id: post.topic_id)
|
topic_id: post.topic_id)
|
||||||
|
|
||||||
post.topic.reload
|
post.topic.reload
|
||||||
post.topic.topic_allowed_users.where(user_id: mod.id).count.should == 1
|
post.topic.topic_allowed_users.where(user_id: admin.id).count.should == 1
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -19,10 +19,10 @@ describe TopicView do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "handles deleted topics" do
|
it "handles deleted topics" do
|
||||||
topic.trash!(coding_horror)
|
admin = Fabricate(:admin)
|
||||||
lambda { TopicView.new(topic.id, coding_horror) }.should raise_error(Discourse::NotFound)
|
topic.trash!(admin)
|
||||||
coding_horror.stubs(:staff?).returns(true)
|
lambda { TopicView.new(topic.id, Fabricate(:user)) }.should raise_error(Discourse::NotFound)
|
||||||
lambda { TopicView.new(topic.id, coding_horror) }.should_not raise_error
|
lambda { TopicView.new(topic.id, admin) }.should_not raise_error
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -29,6 +29,11 @@ describe PostAction do
|
||||||
action.related_post_id.should == posts[0].id.to_i
|
action.related_post_id.should == posts[0].id.to_i
|
||||||
posts[0].subtype.should == TopicSubtype.notify_moderators
|
posts[0].subtype.should == TopicSubtype.notify_moderators
|
||||||
|
|
||||||
|
# Moderators should be invited to the private topic, otherwise they're not permitted to see it
|
||||||
|
topic_user_ids = posts[0].topic.topic_users.map {|x| x.user_id}
|
||||||
|
topic_user_ids.should include(codinghorror.id)
|
||||||
|
topic_user_ids.should include(mod.id)
|
||||||
|
|
||||||
# reply to PM should clear flag
|
# reply to PM should clear flag
|
||||||
p = PostCreator.new(mod, topic_id: posts[0].topic_id, raw: "This is my test reply to the user, it should clear flags")
|
p = PostCreator.new(mod, topic_id: posts[0].topic_id, raw: "This is my test reply to the user, it should clear flags")
|
||||||
p.create
|
p.create
|
||||||
|
|
Loading…
Reference in New Issue