BUGFIX: could not see the revisions of a post in a deleted topic

2014-05-12 16:30:10 +02:00 · 2014-05-12 16:30:10 +02:00 · fca6738212
parent 312bc6bff9
commit fca6738212
5 changed files with 34 additions and 20 deletions
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -192,7 +192,6 @@ class PostsController < ApplicationController

  def revisions
    post_revision = find_post_revision_from_params
-    guardian.ensure_can_see!(post_revision)
    post_revision_serializer = PostRevisionSerializer.new(post_revision, scope: guardian, root: false)
    render_json_dump(post_revision_serializer)
  end
@ -302,6 +301,8 @@ class PostsController < ApplicationController
    # Include deleted posts if the user is staff
    finder = finder.with_deleted if current_user.try(:staff?)
    post = finder.first
+    # load deleted topic
+    post.topic = Topic.with_deleted.find(post.topic_id) if current_user.try(:staff?)
    guardian.ensure_can_see!(post)
    post
  end
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -8,7 +8,7 @@ require_dependency 'guardian/user_guardian'
 class Guardian
  include EnsureMagic
  include CategoryGuardian
-  include PostGuardain
+  include PostGuardian
  include TopicGuardian
  include UserGuardian

@ -23,6 +23,7 @@ class Guardian
    def has_trust_level?(level); false; end
    def email; nil; end
  end
+
  def initialize(user=nil)
    @user = user.presence || AnonymousUser.new
  end
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@ -1,9 +1,8 @@
 #mixin for all guardian methods dealing with post permissions
-module PostGuardain
+module PostGuardian
  # Can the user act on the post in a particular way.
  #  taken_actions = the list of actions the user has already taken
  def post_can_act?(post, action_key, opts={})
-
    taken = opts[:taken_actions].try(:keys).to_a
    is_flag = PostActionType.is_flag?(action_key)
    already_taken_this_action = taken.any? && taken.include?(PostActionType.types[action_key])
@ -110,16 +109,17 @@ module PostGuardain
  end

  def can_see_post_revision?(post_revision)
-    return false if post_revision.nil?
+    return false unless post_revision
    can_view_post_revisions?(post_revision.post)
  end

  def can_view_post_revisions?(post)
-    return false if post.nil?
+    return false unless post
    return true if SiteSetting.edit_history_visible_to_public && !post.hidden
+
    authenticated? &&
-      (is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) &&
-      can_see_post?(post)
+    (is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) &&
+    can_see_post?(post)
  end

  def can_vote?(post, opts={})
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@ -45,20 +45,18 @@ module TopicGuardian
  end

  def can_see_topic?(topic)
-    if topic
-      is_staff? ||
+    return false unless topic
+    return true if is_staff?
+    return false if topic.deleted_at

-      topic.deleted_at.nil? &&
+    # NOTE
+    # At the moment staff can see PMs, there is some talk of restricting this, however
+    # we still need to allow staff to join PMs for the case of flagging ones

-      # not secure, or I can see it
-      (not(topic.read_restricted_category?) || can_see_category?(topic.category)) &&
+    # not secure, or I can see it
+    (not(topic.read_restricted_category?) || can_see_category?(topic.category)) &&
+    # not private, or I am allowed (or is staff)
+    (not(topic.private_message?) || (authenticated? && (is_staff? || topic.all_allowed_users.where(id: @user.id).exists?)))

-      # NOTE
-      # At the moment staff can see PMs, there is some talk of restricting this, however
-      # we still need to allow staff to join PMs for the case of flagging ones
-
-      # not private, or I am allowed (or is staff)
-      (not(topic.private_message?) || authenticated? && (topic.all_allowed_users.where(id: @user.id).exists? || is_staff?))
-    end
  end
 end
--- a/spec/controllers/posts_controller_spec.rb
+++ b/spec/controllers/posts_controller_spec.rb
@ -508,6 +508,20 @@ describe PostsController do
      end
    end

+    context "deleted topic" do
+      let(:admin) { log_in(:admin) }
+      let(:deleted_topic) { Fabricate(:topic, user: admin) }
+      let(:post) { Fabricate(:post, user: admin, topic: deleted_topic) }
+      let(:post_revision) { Fabricate(:post_revision, user: admin, post: post) }
+
+      before { deleted_topic.trash!(admin) }
+
+      it "also work on deleted topic" do
+        xhr :get, :revisions, post_id: post_revision.post_id, revision: post_revision.number
+        response.should be_success
+      end
+    end
+
  end

  describe 'expandable embedded posts' do