BUGFIX: could not see the revisions of a post in a deleted topic

This commit is contained in:
Régis Hanol 2014-05-12 16:30:10 +02:00
parent 312bc6bff9
commit fca6738212
5 changed files with 34 additions and 20 deletions

View File

@ -192,7 +192,6 @@ class PostsController < ApplicationController
def revisions
post_revision = find_post_revision_from_params
guardian.ensure_can_see!(post_revision)
post_revision_serializer = PostRevisionSerializer.new(post_revision, scope: guardian, root: false)
render_json_dump(post_revision_serializer)
end
@ -302,6 +301,8 @@ class PostsController < ApplicationController
# Include deleted posts if the user is staff
finder = finder.with_deleted if current_user.try(:staff?)
post = finder.first
# load deleted topic
post.topic = Topic.with_deleted.find(post.topic_id) if current_user.try(:staff?)
guardian.ensure_can_see!(post)
post
end

View File

@ -8,7 +8,7 @@ require_dependency 'guardian/user_guardian'
class Guardian
include EnsureMagic
include CategoryGuardian
include PostGuardain
include PostGuardian
include TopicGuardian
include UserGuardian
@ -23,6 +23,7 @@ class Guardian
def has_trust_level?(level); false; end
def email; nil; end
end
def initialize(user=nil)
@user = user.presence || AnonymousUser.new
end

View File

@ -1,9 +1,8 @@
#mixin for all guardian methods dealing with post permissions
module PostGuardain
module PostGuardian
# Can the user act on the post in a particular way.
# taken_actions = the list of actions the user has already taken
def post_can_act?(post, action_key, opts={})
taken = opts[:taken_actions].try(:keys).to_a
is_flag = PostActionType.is_flag?(action_key)
already_taken_this_action = taken.any? && taken.include?(PostActionType.types[action_key])
@ -110,13 +109,14 @@ module PostGuardain
end
def can_see_post_revision?(post_revision)
return false if post_revision.nil?
return false unless post_revision
can_view_post_revisions?(post_revision.post)
end
def can_view_post_revisions?(post)
return false if post.nil?
return false unless post
return true if SiteSetting.edit_history_visible_to_public && !post.hidden
authenticated? &&
(is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) &&
can_see_post?(post)

View File

@ -45,20 +45,18 @@ module TopicGuardian
end
def can_see_topic?(topic)
if topic
is_staff? ||
topic.deleted_at.nil? &&
# not secure, or I can see it
(not(topic.read_restricted_category?) || can_see_category?(topic.category)) &&
return false unless topic
return true if is_staff?
return false if topic.deleted_at
# NOTE
# At the moment staff can see PMs, there is some talk of restricting this, however
# we still need to allow staff to join PMs for the case of flagging ones
# not secure, or I can see it
(not(topic.read_restricted_category?) || can_see_category?(topic.category)) &&
# not private, or I am allowed (or is staff)
(not(topic.private_message?) || authenticated? && (topic.all_allowed_users.where(id: @user.id).exists? || is_staff?))
end
(not(topic.private_message?) || (authenticated? && (is_staff? || topic.all_allowed_users.where(id: @user.id).exists?)))
end
end

View File

@ -508,6 +508,20 @@ describe PostsController do
end
end
context "deleted topic" do
let(:admin) { log_in(:admin) }
let(:deleted_topic) { Fabricate(:topic, user: admin) }
let(:post) { Fabricate(:post, user: admin, topic: deleted_topic) }
let(:post_revision) { Fabricate(:post_revision, user: admin, post: post) }
before { deleted_topic.trash!(admin) }
it "also work on deleted topic" do
xhr :get, :revisions, post_id: post_revision.post_id, revision: post_revision.number
response.should be_success
end
end
end
describe 'expandable embedded posts' do