From f9069c350f8e5e632bf5d45b101e754fd5db5002 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Thu, 30 Apr 2015 17:03:51 -0400 Subject: [PATCH] FIX: Permission issues when editing topics If a user can't create a topic in a category, they should'be be able to edit topics. --- lib/guardian/topic_guardian.rb | 4 +++- spec/components/guardian_spec.rb | 8 +++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/guardian/topic_guardian.rb b/lib/guardian/topic_guardian.rb index 334c7a50217..6543208b53a 100644 --- a/lib/guardian/topic_guardian.rb +++ b/lib/guardian/topic_guardian.rb @@ -29,7 +29,9 @@ module TopicGuardian def can_edit_topic?(topic) return false if Discourse.static_doc_topic_ids.include?(topic.id) && !is_admin? return false unless can_see?(topic) - return true if is_staff? || (!topic.private_message? && user.has_trust_level?(TrustLevel[3])) + return true if is_staff? + return true if (!topic.private_message? && user.has_trust_level?(TrustLevel[3]) && can_create_post?(topic)) + return false if topic.archived is_my_own?(topic) && !topic.edit_time_limit_expired? end diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb index 1e975d3e338..fa9bf066276 100644 --- a/spec/components/guardian_spec.rb +++ b/spec/components/guardian_spec.rb @@ -530,7 +530,6 @@ describe Guardian do category.save expect(Guardian.new(topic.user).can_create?(Post, topic)).to be_falsey - end it "is false when not logged in" do @@ -889,6 +888,13 @@ describe Guardian do it 'returns true at trust level 3' do expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(true) end + + it "returns false when the category is read only" do + topic.category.set_permissions(everyone: :readonly) + topic.category.save + + expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false) + end end context 'private message' do