require 'spec_helper' require 'guardian' require_dependency 'post_destroyer' describe Guardian do let(:user) { build(:user) } let(:moderator) { build(:moderator) } let(:admin) { build(:admin) } let(:trust_level_3) { build(:user, trust_level: 3) } let(:trust_level_4) { build(:user, trust_level: 4) } let(:another_admin) { build(:admin) } let(:coding_horror) { build(:coding_horror) } let(:topic) { build(:topic, user: user) } let(:post) { build(:post, topic: topic, user: topic.user) } it 'can be created without a user (not logged in)' do lambda { Guardian.new }.should_not raise_error end it 'can be instantiaed with a user instance' do lambda { Guardian.new(user) }.should_not raise_error end describe 'post_can_act?' do let(:post) { build(:post) } let(:user) { build(:user) } it "returns false when the user is nil" do Guardian.new(nil).post_can_act?(post, :like).should be_false end it "returns false when the post is nil" do Guardian.new(user).post_can_act?(nil, :like).should be_false end it "returns false when the topic is archived" do post.topic.archived = true Guardian.new(user).post_can_act?(post, :like).should be_false end it "returns false when the post is deleted" do post.deleted_at = Time.now Guardian.new(user).post_can_act?(post, :like).should be_false end it "always allows flagging" do post.topic.archived = true Guardian.new(user).post_can_act?(post, :spam).should be_true end it "returns false when liking yourself" do Guardian.new(post.user).post_can_act?(post, :like).should be_false end it "returns false when you've already done it" do Guardian.new(user).post_can_act?(post, :like, taken_actions: {PostActionType.types[:like] => 1}).should be_false end it "returns false when you already flagged a post" do Guardian.new(user).post_can_act?(post, :off_topic, taken_actions: {PostActionType.types[:spam] => 1}).should be_false end describe "trust levels" do it "returns true for a new user liking something" do user.trust_level = TrustLevel[0] Guardian.new(user).post_can_act?(post, :like).should be_true end it "returns false for a new user flagging something as spam" do user.trust_level = TrustLevel[0] Guardian.new(user).post_can_act?(post, :spam).should be_false end it "returns false for a new user flagging something as off topic" do user.trust_level = TrustLevel[0] Guardian.new(user).post_can_act?(post, :off_topic).should be_false end it "returns false for a new user flagging with notify_user" do user.trust_level = TrustLevel[0] Guardian.new(user).post_can_act?(post, :notify_user).should be_false # because new users can't send private messages end end end describe "can_defer_flags" do let(:post) { Fabricate(:post) } let(:user) { post.user } let(:moderator) { Fabricate(:moderator) } it "returns false when the user is nil" do Guardian.new(nil).can_defer_flags?(post).should be_false end it "returns false when the post is nil" do Guardian.new(moderator).can_defer_flags?(nil).should be_false end it "returns false when the user is not a moderator" do Guardian.new(user).can_defer_flags?(post).should be_false end it "returns true when the user is a moderator" do Guardian.new(moderator).can_defer_flags?(post).should be_true end end describe 'can_send_private_message' do let(:user) { Fabricate(:user) } let(:another_user) { Fabricate(:user) } let(:suspended_user) { Fabricate(:user, suspended_till: 1.week.from_now, suspended_at: 1.day.ago) } it "returns false when the user is nil" do Guardian.new(nil).can_send_private_message?(user).should be_false end it "returns false when the target user is nil" do Guardian.new(user).can_send_private_message?(nil).should be_false end it "returns false when the target is the same as the user" do Guardian.new(user).can_send_private_message?(user).should be_false end it "returns false when you are untrusted" do user.trust_level = TrustLevel[0] Guardian.new(user).can_send_private_message?(another_user).should be_false end it "returns true to another user" do Guardian.new(user).can_send_private_message?(another_user).should be_true end context "enable_private_messages is false" do before { SiteSetting.stubs(:enable_private_messages).returns(false) } it "returns false if user is not the contact user" do Guardian.new(user).can_send_private_message?(another_user).should be_false end it "returns true for the contact user and system user" do SiteSetting.stubs(:site_contact_username).returns(user.username) Guardian.new(user).can_send_private_message?(another_user).should be_true Guardian.new(Discourse.system_user).can_send_private_message?(another_user).should be_true end end context "target user is suspended" do it "returns true for staff" do Guardian.new(admin).can_send_private_message?(suspended_user).should be_true Guardian.new(moderator).can_send_private_message?(suspended_user).should be_true end it "returns false for regular users" do Guardian.new(user).can_send_private_message?(suspended_user).should be_false end end end describe 'can_reply_as_new_topic' do let(:user) { Fabricate(:user) } let(:topic) { Fabricate(:topic) } it "returns false for a non logged in user" do Guardian.new(nil).can_reply_as_new_topic?(topic).should be_false end it "returns false for a nil topic" do Guardian.new(user).can_reply_as_new_topic?(nil).should be_false end it "returns false for an untrusted user" do user.trust_level = TrustLevel[0] Guardian.new(user).can_reply_as_new_topic?(topic).should be_false end it "returns true for a trusted user" do Guardian.new(user).can_reply_as_new_topic?(topic).should be_true end end describe 'can_see_post_actors?' do let(:topic) { Fabricate(:topic, user: coding_horror)} it 'displays visibility correctly' do guardian = Guardian.new(user) guardian.can_see_post_actors?(nil, PostActionType.types[:like]).should be_false guardian.can_see_post_actors?(topic, PostActionType.types[:like]).should be_true guardian.can_see_post_actors?(topic, PostActionType.types[:bookmark]).should be_false guardian.can_see_post_actors?(topic, PostActionType.types[:off_topic]).should be_false guardian.can_see_post_actors?(topic, PostActionType.types[:spam]).should be_false guardian.can_see_post_actors?(topic, PostActionType.types[:vote]).should be_true end it 'returns false for private votes' do topic.expects(:has_meta_data_boolean?).with(:private_poll).returns(true) Guardian.new(user).can_see_post_actors?(topic, PostActionType.types[:vote]).should be_false end end describe 'can_impersonate?' do it 'allows impersonation correctly' do Guardian.new(admin).can_impersonate?(nil).should be_false Guardian.new.can_impersonate?(user).should be_false Guardian.new(coding_horror).can_impersonate?(user).should be_false Guardian.new(admin).can_impersonate?(admin).should be_false Guardian.new(admin).can_impersonate?(another_admin).should be_false Guardian.new(admin).can_impersonate?(user).should be_true Guardian.new(admin).can_impersonate?(moderator).should be_true Rails.configuration.stubs(:developer_emails).returns([admin.email]) Guardian.new(admin).can_impersonate?(another_admin).should be_true end end describe 'can_invite_to_forum?' do let(:user) { Fabricate.build(:user) } let(:moderator) { Fabricate.build(:moderator) } it "doesn't allow anonymous users to invite" do Guardian.new.can_invite_to_forum?.should be_false end it 'returns true when the site requires approving users and is mod' do SiteSetting.expects(:must_approve_users?).returns(true) Guardian.new(moderator).can_invite_to_forum?.should be_true end it 'returns false when the site requires approving users and is regular' do SiteSetting.expects(:must_approve_users?).returns(true) Guardian.new(user).can_invite_to_forum?.should be_false end it 'returns false when the local logins are disabled' do SiteSetting.stubs(:enable_local_logins).returns(false) Guardian.new(user).can_invite_to_forum?.should be_false Guardian.new(moderator).can_invite_to_forum?.should be_false end end describe 'can_invite_to?' do let(:group) { Fabricate(:group) } let(:category) { Fabricate(:category, read_restricted: true) } let(:topic) { Fabricate(:topic) } let(:private_topic) { Fabricate(:topic, category: category) } let(:user) { topic.user } let(:moderator) { Fabricate(:moderator) } let(:admin) { Fabricate(:admin) } it 'handles invitation correctly' do Guardian.new(nil).can_invite_to?(topic).should be_false Guardian.new(moderator).can_invite_to?(nil).should be_false Guardian.new(moderator).can_invite_to?(topic).should be_true Guardian.new(user).can_invite_to?(topic).should be_false end it 'returns true when the site requires approving users and is mod' do SiteSetting.expects(:must_approve_users?).returns(true) Guardian.new(moderator).can_invite_to?(topic).should be_true end it 'returns false when the site requires approving users and is regular' do SiteSetting.expects(:must_approve_users?).returns(true) Guardian.new(coding_horror).can_invite_to?(topic).should be_false end it 'returns false when local logins are disabled' do SiteSetting.stubs(:enable_local_logins).returns(false) Guardian.new(moderator).can_invite_to?(topic).should be_false Guardian.new(user).can_invite_to?(topic).should be_false end it 'returns false for normal user on private topic' do Guardian.new(user).can_invite_to?(private_topic).should be_false end it 'returns true for admin on private topic' do Guardian.new(admin).can_invite_to?(private_topic).should be_true end end describe 'can_see?' do it 'returns false with a nil object' do Guardian.new.can_see?(nil).should be_false end describe 'a Group' do let(:group) { Group.new } let(:invisible_group) { Group.new(visible: false) } it "returns true when the group is visible" do Guardian.new.can_see?(group).should be_true end it "returns true when the group is visible but the user is an admin" do admin = Fabricate.build(:admin) Guardian.new(admin).can_see?(invisible_group).should be_true end it "returns false when the group is invisible" do Guardian.new.can_see?(invisible_group).should be_false end end describe 'a Topic' do it 'allows non logged in users to view topics' do Guardian.new.can_see?(topic).should be_true end it 'correctly handles groups' do group = Fabricate(:group) category = Fabricate(:category, read_restricted: true) category.set_permissions(group => :full) category.save topic = Fabricate(:topic, category: category) Guardian.new(user).can_see?(topic).should be_false group.add(user) group.save Guardian.new(user).can_see?(topic).should be_true end it "restricts deleted topics" do topic = Fabricate(:topic) topic.trash!(moderator) Guardian.new(build(:user)).can_see?(topic).should be_false Guardian.new(moderator).can_see?(topic).should be_true Guardian.new(admin).can_see?(topic).should be_true end it "restricts private topics" do user.save! private_topic = Fabricate(:private_message_topic, user: user) Guardian.new(private_topic.user).can_see?(private_topic).should be_true Guardian.new(build(:user)).can_see?(private_topic).should be_false Guardian.new(moderator).can_see?(private_topic).should be_false Guardian.new(admin).can_see?(private_topic).should be_true end it "restricts private deleted topics" do user.save! private_topic = Fabricate(:private_message_topic, user: user) private_topic.trash!(admin) Guardian.new(private_topic.user).can_see?(private_topic).should be_false Guardian.new(build(:user)).can_see?(private_topic).should be_false Guardian.new(moderator).can_see?(private_topic).should be_false Guardian.new(admin).can_see?(private_topic).should be_true end it "restricts static doc topics" do tos_topic = Fabricate(:topic, user: Discourse.system_user) SiteSetting.stubs(:tos_topic_id).returns(tos_topic.id) Guardian.new(build(:user)).can_edit?(tos_topic).should be_false Guardian.new(moderator).can_edit?(tos_topic).should be_false Guardian.new(admin).can_edit?(tos_topic).should be_true end end describe 'a Post' do let(:another_admin) { Fabricate(:admin) } it 'correctly handles post visibility' do post = Fabricate(:post) topic = post.topic Guardian.new(user).can_see?(post).should be_true post.trash!(another_admin) post.reload Guardian.new(user).can_see?(post).should be_false Guardian.new(admin).can_see?(post).should be_true post.recover! post.reload topic.trash!(another_admin) topic.reload Guardian.new(user).can_see?(post).should be_false Guardian.new(admin).can_see?(post).should be_true end end describe 'a PostRevision' do let(:post_revision) { Fabricate(:post_revision) } context 'edit_history_visible_to_public is true' do before { SiteSetting.stubs(:edit_history_visible_to_public).returns(true) } it 'is false for nil' do Guardian.new.can_see?(nil).should be_false end it 'is true if not logged in' do Guardian.new.can_see?(post_revision).should == true end it 'is true when logged in' do Guardian.new(Fabricate(:user)).can_see?(post_revision).should == true end it 'is true if the author has public edit history' do public_post_revision = Fabricate(:post_revision) public_post_revision.post.user.edit_history_public = true Guardian.new.can_see?(public_post_revision).should == true end end context 'edit_history_visible_to_public is false' do before { SiteSetting.stubs(:edit_history_visible_to_public).returns(false) } it 'is true for staff' do Guardian.new(Fabricate(:admin)).can_see?(post_revision).should == true Guardian.new(Fabricate(:moderator)).can_see?(post_revision).should == true end it 'is true for trust level 4' do Guardian.new(trust_level_4).can_see?(post_revision).should == true end it 'is false for trust level lower than 4' do Guardian.new(trust_level_3).can_see?(post_revision).should == false end it 'is true if the author has public edit history' do public_post_revision = Fabricate(:post_revision) public_post_revision.post.user.edit_history_public = true Guardian.new.can_see?(public_post_revision).should == true end end end end describe 'can_create?' do describe 'a Category' do it 'returns false when not logged in' do Guardian.new.can_create?(Category).should be_false end it 'returns false when a regular user' do Guardian.new(user).can_create?(Category).should be_false end it 'returns false when a moderator' do Guardian.new(moderator).can_create?(Category).should be_false end it 'returns true when an admin' do Guardian.new(admin).can_create?(Category).should be_true end end describe 'a Topic' do it 'should check for full permissions' do category = Fabricate(:category) category.set_permissions(:everyone => :create_post) category.save Guardian.new(user).can_create?(Topic,category).should be_false end it "is true for new users by default" do Guardian.new(user).can_create?(Topic,Fabricate(:category)).should be_true end it "is false if user has not met minimum trust level" do SiteSetting.stubs(:min_trust_to_create_topic).returns(1) Guardian.new(build(:user, trust_level: 0)).can_create?(Topic,Fabricate(:category)).should be_false end it "is true if user has met or exceeded the minimum trust level" do SiteSetting.stubs(:min_trust_to_create_topic).returns(1) Guardian.new(build(:user, trust_level: 1)).can_create?(Topic,Fabricate(:category)).should be_true Guardian.new(build(:user, trust_level: 2)).can_create?(Topic,Fabricate(:category)).should be_true Guardian.new(build(:admin, trust_level: 0)).can_create?(Topic,Fabricate(:category)).should be_true Guardian.new(build(:moderator, trust_level: 0)).can_create?(Topic,Fabricate(:category)).should be_true end end describe 'a Post' do it "is false on readonly categories" do category = Fabricate(:category) topic.category = category category.set_permissions(:everyone => :readonly) category.save Guardian.new(topic.user).can_create?(Post, topic).should be_false end it "is false when not logged in" do Guardian.new.can_create?(Post, topic).should be_false end it 'is true for a regular user' do Guardian.new(topic.user).can_create?(Post, topic).should be_true end it "is false when you can't see the topic" do Guardian.any_instance.expects(:can_see?).with(topic).returns(false) Guardian.new(topic.user).can_create?(Post, topic).should be_false end context 'closed topic' do before do topic.closed = true end it "doesn't allow new posts from regular users" do Guardian.new(topic.user).can_create?(Post, topic).should be_false end it 'allows editing of posts' do Guardian.new(topic.user).can_edit?(post).should be_true end it "allows new posts from moderators" do Guardian.new(moderator).can_create?(Post, topic).should be_true end it "allows new posts from admins" do Guardian.new(admin).can_create?(Post, topic).should be_true end it "allows new posts from trust_level_4s" do Guardian.new(trust_level_4).can_create?(Post, topic).should be_true end end context 'archived topic' do before do topic.archived = true end context 'regular users' do it "doesn't allow new posts from regular users" do Guardian.new(coding_horror).can_create?(Post, topic).should be_false end it 'does not allow editing of posts' do Guardian.new(coding_horror).can_edit?(post).should be_false end end it "allows new posts from moderators" do Guardian.new(moderator).can_create?(Post, topic).should be_true end it "allows new posts from admins" do Guardian.new(admin).can_create?(Post, topic).should be_true end end context "trashed topic" do before do topic.deleted_at = Time.now end it "doesn't allow new posts from regular users" do Guardian.new(coding_horror).can_create?(Post, topic).should be_false end it "doesn't allow new posts from moderators users" do Guardian.new(moderator).can_create?(Post, topic).should be_false end it "doesn't allow new posts from admins" do Guardian.new(admin).can_create?(Post, topic).should be_false end end end end describe 'post_can_act?' do it "isn't allowed on nil" do Guardian.new(user).post_can_act?(nil, nil).should be_false end describe 'a Post' do let (:guardian) do Guardian.new(user) end it "isn't allowed when not logged in" do Guardian.new(nil).post_can_act?(post,:vote).should be_false end it "is allowed as a regular user" do guardian.post_can_act?(post,:vote).should be_true end it "doesn't allow voting if the user has an action from voting already" do guardian.post_can_act?(post,:vote,taken_actions: {PostActionType.types[:vote] => 1}).should be_false end it "allows voting if the user has performed a different action" do guardian.post_can_act?(post,:vote,taken_actions: {PostActionType.types[:like] => 1}).should be_true end it "isn't allowed on archived topics" do topic.archived = true Guardian.new(user).post_can_act?(post,:like).should be_false end describe 'multiple voting' do it "isn't allowed if the user voted and the topic doesn't allow multiple votes" do Topic.any_instance.expects(:has_meta_data_boolean?).with(:single_vote).returns(true) Guardian.new(user).can_vote?(post, voted_in_topic: true).should be_false end it "is allowed if the user voted and the topic doesn't allow multiple votes" do Guardian.new(user).can_vote?(post, voted_in_topic: false).should be_true end end end end describe "can_recover_topic?" do it "returns false for a nil user" do Guardian.new(nil).can_recover_topic?(topic).should be_false end it "returns false for a nil object" do Guardian.new(user).can_recover_topic?(nil).should be_false end it "returns false for a regular user" do Guardian.new(user).can_recover_topic?(topic).should be_false end it "returns true for a moderator" do Guardian.new(moderator).can_recover_topic?(topic).should be_true end end describe "can_recover_post?" do it "returns false for a nil user" do Guardian.new(nil).can_recover_post?(post).should be_false end it "returns false for a nil object" do Guardian.new(user).can_recover_post?(nil).should be_false end it "returns false for a regular user" do Guardian.new(user).can_recover_post?(post).should be_false end it "returns true for a moderator" do Guardian.new(moderator).can_recover_post?(post).should be_true end end describe 'can_edit?' do it 'returns false with a nil object' do Guardian.new(user).can_edit?(nil).should == false end describe 'a Post' do it 'returns false when not logged in' do Guardian.new.can_edit?(post).should be_false end it 'returns false when not logged in also for wiki post' do post.wiki = true Guardian.new.can_edit?(post).should be_false end it 'returns true if you want to edit your own post' do Guardian.new(post.user).can_edit?(post).should be_true end it "returns false if the post is hidden due to flagging and it's too soon" do post.hidden = true post.hidden_at = Time.now Guardian.new(post.user).can_edit?(post).should be_false end it "returns true if the post is hidden due to flagging and it been enough time" do post.hidden = true post.hidden_at = (SiteSetting.cooldown_minutes_after_hiding_posts + 1).minutes.ago Guardian.new(post.user).can_edit?(post).should be_true end it "returns true if the post is hidden due to flagging and it's got a nil `hidden_at`" do post.hidden = true post.hidden_at = nil Guardian.new(post.user).can_edit?(post).should be_true end it 'returns false if you are trying to edit a post you soft deleted' do post.user_deleted = true Guardian.new(post.user).can_edit?(post).should be_false end it 'returns false if another regular user tries to edit a soft deleted wiki post' do post.wiki = true post.user_deleted = true Guardian.new(coding_horror).can_edit?(post).should be_false end it 'returns false if you are trying to edit a deleted post' do post.deleted_at = 1.day.ago Guardian.new(post.user).can_edit?(post).should be_false end it 'returns false if another regular user tries to edit a deleted wiki post' do post.wiki = true post.deleted_at = 1.day.ago Guardian.new(coding_horror).can_edit?(post).should be_false end it 'returns false if another regular user tries to edit your post' do Guardian.new(coding_horror).can_edit?(post).should be_false end it 'returns true if another regular user tries to edit wiki post' do post.wiki = true Guardian.new(coding_horror).can_edit?(post).should be_true end it 'returns true as a moderator' do Guardian.new(moderator).can_edit?(post).should be_true end it 'returns true as an admin' do Guardian.new(admin).can_edit?(post).should be_true end it 'returns true as a trust level 4 user' do Guardian.new(trust_level_4).can_edit?(post).should be_true end context 'post is older than post_edit_time_limit' do let(:old_post) { build(:post, topic: topic, user: topic.user, created_at: 6.minutes.ago) } before do SiteSetting.stubs(:post_edit_time_limit).returns(5) end it 'returns false to the author of the post' do Guardian.new(old_post.user).can_edit?(old_post).should == false end it 'returns true as a moderator' do Guardian.new(moderator).can_edit?(old_post).should eq(true) end it 'returns true as an admin' do Guardian.new(admin).can_edit?(old_post).should eq(true) end it 'returns false for another regular user trying to edit your post' do Guardian.new(coding_horror).can_edit?(old_post).should == false end it 'returns true for another regular user trying to edit a wiki post' do old_post.wiki = true Guardian.new(coding_horror).can_edit?(old_post).should be_true end it 'returns false when another user has too low trust level to edit wiki post' do SiteSetting.stubs(:min_trust_to_edit_wiki_post).returns(2) post.wiki = true coding_horror.trust_level = 1 Guardian.new(coding_horror).can_edit?(post).should be_false end it 'returns true when another user has adequate trust level to edit wiki post' do SiteSetting.stubs(:min_trust_to_edit_wiki_post).returns(2) post.wiki = true coding_horror.trust_level = 2 Guardian.new(coding_horror).can_edit?(post).should be_true end it 'returns true for post author even when he has too low trust level to edit wiki post' do SiteSetting.stubs(:min_trust_to_edit_wiki_post).returns(2) post.wiki = true post.user.trust_level = 1 Guardian.new(post.user).can_edit?(post).should be_true end end context "first post of a static page doc" do let!(:tos_topic) { Fabricate(:topic, user: Discourse.system_user) } let!(:tos_first_post) { build(:post, topic: tos_topic, user: tos_topic.user) } before { SiteSetting.stubs(:tos_topic_id).returns(tos_topic.id) } it "restricts static doc posts" do Guardian.new(build(:user)).can_edit?(tos_first_post).should be_false Guardian.new(moderator).can_edit?(tos_first_post).should be_false Guardian.new(admin).can_edit?(tos_first_post).should be_true end end end describe 'a Topic' do it 'returns false when not logged in' do Guardian.new.can_edit?(topic).should == false end it 'returns true for editing your own post' do Guardian.new(topic.user).can_edit?(topic).should eq(true) end it 'returns false as a regular user' do Guardian.new(coding_horror).can_edit?(topic).should == false end context 'not archived' do it 'returns true as a moderator' do Guardian.new(moderator).can_edit?(topic).should eq(true) end it 'returns true as an admin' do Guardian.new(admin).can_edit?(topic).should eq(true) end it 'returns true at trust level 3' do Guardian.new(trust_level_3).can_edit?(topic).should eq(true) end end context 'private message' do it 'returns false at trust level 3' do topic.archetype = 'private_message' Guardian.new(trust_level_3).can_edit?(topic).should eq(false) end end context 'archived' do it 'returns true as a moderator' do Guardian.new(moderator).can_edit?(build(:topic, user: user, archived: true)).should == true end it 'returns true as an admin' do Guardian.new(admin).can_edit?(build(:topic, user: user, archived: true)).should == true end it 'returns true at trust level 3' do Guardian.new(trust_level_3).can_edit?(build(:topic, user: user, archived: true)).should == true end it 'returns false as a topic creator' do Guardian.new(user).can_edit?(build(:topic, user: user, archived: true)).should == false end end end describe 'a Category' do let(:category) { Fabricate(:category) } it 'returns false when not logged in' do Guardian.new.can_edit?(category).should be_false end it 'returns false as a regular user' do Guardian.new(category.user).can_edit?(category).should be_false end it 'returns false as a moderator' do Guardian.new(moderator).can_edit?(category).should be_false end it 'returns true as an admin' do Guardian.new(admin).can_edit?(category).should be_true end end describe 'a User' do it 'returns false when not logged in' do Guardian.new.can_edit?(user).should be_false end it 'returns false as a different user' do Guardian.new(coding_horror).can_edit?(user).should be_false end it 'returns true when trying to edit yourself' do Guardian.new(user).can_edit?(user).should be_true end it 'returns true as a moderator' do Guardian.new(moderator).can_edit?(user).should be_true end it 'returns true as an admin' do Guardian.new(admin).can_edit?(user).should be_true end end end context 'can_moderate?' do it 'returns false with a nil object' do Guardian.new(user).can_moderate?(nil).should be_false end context 'a Topic' do it 'returns false when not logged in' do Guardian.new.can_moderate?(topic).should be_false end it 'returns false when not a moderator' do Guardian.new(user).can_moderate?(topic).should be_false end it 'returns true when a moderator' do Guardian.new(moderator).can_moderate?(topic).should be_true end it 'returns true when an admin' do Guardian.new(admin).can_moderate?(topic).should be_true end it 'returns true when trust level 4' do Guardian.new(trust_level_4).can_moderate?(topic).should be_true end end end context 'can_see_flags?' do it "returns false when there is no post" do Guardian.new(moderator).can_see_flags?(nil).should be_false end it "returns false when there is no user" do Guardian.new(nil).can_see_flags?(post).should be_false end it "allow regular users to see flags" do Guardian.new(user).can_see_flags?(post).should be_false end it "allows moderators to see flags" do Guardian.new(moderator).can_see_flags?(post).should be_true end it "allows moderators to see flags" do Guardian.new(admin).can_see_flags?(post).should be_true end end context 'can_move_posts?' do it 'returns false with a nil object' do Guardian.new(user).can_move_posts?(nil).should be_false end context 'a Topic' do it 'returns false when not logged in' do Guardian.new.can_move_posts?(topic).should be_false end it 'returns false when not a moderator' do Guardian.new(user).can_move_posts?(topic).should be_false end it 'returns true when a moderator' do Guardian.new(moderator).can_move_posts?(topic).should be_true end it 'returns true when an admin' do Guardian.new(admin).can_move_posts?(topic).should be_true end end end context 'can_delete?' do it 'returns false with a nil object' do Guardian.new(user).can_delete?(nil).should be_false end context 'a Topic' do before do # pretend we have a real topic topic.id = 9999999 end it 'returns false when not logged in' do Guardian.new.can_delete?(topic).should be_false end it 'returns false when not a moderator' do Guardian.new(user).can_delete?(topic).should be_false end it 'returns true when a moderator' do Guardian.new(moderator).can_delete?(topic).should be_true end it 'returns true when an admin' do Guardian.new(admin).can_delete?(topic).should be_true end it 'returns false for static doc topics' do tos_topic = Fabricate(:topic, user: Discourse.system_user) SiteSetting.stubs(:tos_topic_id).returns(tos_topic.id) Guardian.new(admin).can_delete?(tos_topic).should be_false end end context 'a Post' do before do post.post_number = 2 end it 'returns false when not logged in' do Guardian.new.can_delete?(post).should be_false end it "returns false when trying to delete your own post that has already been deleted" do post = Fabricate(:post) PostDestroyer.new(user, post).destroy post.reload Guardian.new(user).can_delete?(post).should be_false end it 'returns true when trying to delete your own post' do Guardian.new(user).can_delete?(post).should be_true end it "returns false when trying to delete another user's own post" do Guardian.new(Fabricate(:user)).can_delete?(post).should be_false end it "returns false when it's the OP, even as a moderator" do post.update_attribute :post_number, 1 Guardian.new(moderator).can_delete?(post).should be_false end it 'returns true when a moderator' do Guardian.new(moderator).can_delete?(post).should be_true end it 'returns true when an admin' do Guardian.new(admin).can_delete?(post).should be_true end it 'returns false when post is first in a static doc topic' do tos_topic = Fabricate(:topic, user: Discourse.system_user) SiteSetting.stubs(:tos_topic_id).returns(tos_topic.id) post.update_attribute :post_number, 1 post.update_attribute :topic_id, tos_topic.id Guardian.new(admin).can_delete?(post).should be_false end context 'post is older than post_edit_time_limit' do let(:old_post) { build(:post, topic: topic, user: topic.user, post_number: 2, created_at: 6.minutes.ago) } before do SiteSetting.stubs(:post_edit_time_limit).returns(5) end it 'returns false to the author of the post' do Guardian.new(old_post.user).can_delete?(old_post).should eq(false) end it 'returns true as a moderator' do Guardian.new(moderator).can_delete?(old_post).should eq(true) end it 'returns true as an admin' do Guardian.new(admin).can_delete?(old_post).should eq(true) end it "returns false when it's the OP, even as a moderator" do old_post.post_number = 1 Guardian.new(moderator).can_delete?(old_post).should eq(false) end it 'returns false for another regular user trying to delete your post' do Guardian.new(coding_horror).can_delete?(old_post).should eq(false) end end context 'the topic is archived' do before do post.topic.archived = true end it "allows a staff member to delete it" do Guardian.new(moderator).can_delete?(post).should be_true end it "doesn't allow a regular user to delete it" do Guardian.new(post.user).can_delete?(post).should be_false end end end context 'a Category' do let(:category) { build(:category, user: moderator) } it 'returns false when not logged in' do Guardian.new.can_delete?(category).should be_false end it 'returns false when a regular user' do Guardian.new(user).can_delete?(category).should be_false end it 'returns false when a moderator' do Guardian.new(moderator).can_delete?(category).should be_false end it 'returns true when an admin' do Guardian.new(admin).can_delete?(category).should be_true end it "can't be deleted if it has a forum topic" do category.topic_count = 10 Guardian.new(moderator).can_delete?(category).should be_false end it "can't be deleted if it is the Uncategorized Category" do uncategorized_cat_id = SiteSetting.uncategorized_category_id uncategorized_category = Category.find(uncategorized_cat_id) Guardian.new(admin).can_delete?(uncategorized_category).should be_false end it "can't be deleted if it has children" do category.expects(:has_children?).returns(true) Guardian.new(admin).can_delete?(category).should be_false end end context 'can_suspend?' do it 'returns false when a user tries to suspend another user' do Guardian.new(user).can_suspend?(coding_horror).should be_false end it 'returns true when an admin tries to suspend another user' do Guardian.new(admin).can_suspend?(coding_horror).should be_true end it 'returns true when a moderator tries to suspend another user' do Guardian.new(moderator).can_suspend?(coding_horror).should be_true end it 'returns false when staff tries to suspend staff' do Guardian.new(admin).can_suspend?(moderator).should be_false end end context 'a PostAction' do let(:post_action) { user.id = 1 post.id = 1 a = PostAction.new(user: user, post: post, post_action_type_id: 1) a.created_at = 1.minute.ago a } it 'returns false when not logged in' do Guardian.new.can_delete?(post_action).should be_false end it 'returns false when not the user who created it' do Guardian.new(coding_horror).can_delete?(post_action).should be_false end it "returns false if the window has expired" do post_action.created_at = 20.minutes.ago SiteSetting.expects(:post_undo_action_window_mins).returns(10) Guardian.new(user).can_delete?(post_action).should be_false end it "returns true if it's yours" do Guardian.new(user).can_delete?(post_action).should be_true end end end context 'can_approve?' do it "wont allow a non-logged in user to approve" do Guardian.new.can_approve?(user).should be_false end it "wont allow a non-admin to approve a user" do Guardian.new(coding_horror).can_approve?(user).should be_false end it "returns false when the user is already approved" do user.approved = true Guardian.new(admin).can_approve?(user).should be_false end it "allows an admin to approve a user" do Guardian.new(admin).can_approve?(user).should be_true end it "allows a moderator to approve a user" do Guardian.new(moderator).can_approve?(user).should be_true end end context 'can_grant_admin?' do it "wont allow a non logged in user to grant an admin's access" do Guardian.new.can_grant_admin?(another_admin).should be_false end it "wont allow a regular user to revoke an admin's access" do Guardian.new(user).can_grant_admin?(another_admin).should be_false end it 'wont allow an admin to grant their own access' do Guardian.new(admin).can_grant_admin?(admin).should be_false end it "allows an admin to grant a regular user access" do admin.id = 1 user.id = 2 Guardian.new(admin).can_grant_admin?(user).should be_true end end context 'can_revoke_admin?' do it "wont allow a non logged in user to revoke an admin's access" do Guardian.new.can_revoke_admin?(another_admin).should be_false end it "wont allow a regular user to revoke an admin's access" do Guardian.new(user).can_revoke_admin?(another_admin).should be_false end it 'wont allow an admin to revoke their own access' do Guardian.new(admin).can_revoke_admin?(admin).should be_false end it "allows an admin to revoke another admin's access" do admin.id = 1 another_admin.id = 2 Guardian.new(admin).can_revoke_admin?(another_admin).should be_true end end context 'can_grant_moderation?' do it "wont allow a non logged in user to grant an moderator's access" do Guardian.new.can_grant_moderation?(user).should be_false end it "wont allow a regular user to revoke an moderator's access" do Guardian.new(user).can_grant_moderation?(moderator).should be_false end it 'will allow an admin to grant their own moderator access' do Guardian.new(admin).can_grant_moderation?(admin).should be_true end it 'wont allow an admin to grant it to an already moderator' do Guardian.new(admin).can_grant_moderation?(moderator).should be_false end it "allows an admin to grant a regular user access" do Guardian.new(admin).can_grant_moderation?(user).should be_true end end context 'can_revoke_moderation?' do it "wont allow a non logged in user to revoke an moderator's access" do Guardian.new.can_revoke_moderation?(moderator).should be_false end it "wont allow a regular user to revoke an moderator's access" do Guardian.new(user).can_revoke_moderation?(moderator).should be_false end it 'wont allow a moderator to revoke their own moderator' do Guardian.new(moderator).can_revoke_moderation?(moderator).should be_false end it "allows an admin to revoke a moderator's access" do Guardian.new(admin).can_revoke_moderation?(moderator).should be_true end it "allows an admin to revoke a moderator's access from self" do admin.moderator = true Guardian.new(admin).can_revoke_moderation?(admin).should be_true end it "does not allow revoke from non moderators" do Guardian.new(admin).can_revoke_moderation?(admin).should be_false end end context "can_see_invite_details?" do it 'is false without a logged in user' do Guardian.new(nil).can_see_invite_details?(user).should be_false end it 'is false without a user to look at' do Guardian.new(user).can_see_invite_details?(nil).should be_false end it 'is true when looking at your own invites' do Guardian.new(user).can_see_invite_details?(user).should be_true end end context "can_access_forum?" do let(:unapproved_user) { Fabricate.build(:user) } context "when must_approve_users is false" do before do SiteSetting.stubs(:must_approve_users?).returns(false) end it "returns true for a nil user" do Guardian.new(nil).can_access_forum?.should be_true end it "returns true for an unapproved user" do Guardian.new(unapproved_user).can_access_forum?.should be_true end end context 'when must_approve_users is true' do before do SiteSetting.stubs(:must_approve_users?).returns(true) end it "returns false for a nil user" do Guardian.new(nil).can_access_forum?.should be_false end it "returns false for an unapproved user" do Guardian.new(unapproved_user).can_access_forum?.should be_false end it "returns true for an admin user" do unapproved_user.admin = true Guardian.new(unapproved_user).can_access_forum?.should be_true end it "returns true for an approved user" do unapproved_user.approved = true Guardian.new(unapproved_user).can_access_forum?.should be_true end end end describe "can_delete_user?" do it "is false without a logged in user" do Guardian.new(nil).can_delete_user?(user).should == false end it "is false without a user to look at" do Guardian.new(admin).can_delete_user?(nil).should == false end it "is false for regular users" do Guardian.new(user).can_delete_user?(coding_horror).should == false end context "delete myself" do let(:myself) { Fabricate(:user, created_at: 6.months.ago) } subject { Guardian.new(myself).can_delete_user?(myself) } it "is true to delete myself and I have never made a post" do subject.should == true end it "is true to delete myself and I have only made 1 post" do myself.stubs(:post_count).returns(1) subject.should == true end it "is false to delete myself and I have made 2 posts" do myself.stubs(:post_count).returns(2) subject.should == false end end shared_examples "can_delete_user examples" do it "is true if user is not an admin and has never posted" do Guardian.new(actor).can_delete_user?(Fabricate.build(:user, created_at: 100.days.ago)).should == true end it "is true if user is not an admin and first post is not too old" do user = Fabricate.build(:user, created_at: 100.days.ago) user.stubs(:first_post_created_at).returns(9.days.ago) SiteSetting.stubs(:delete_user_max_post_age).returns(10) Guardian.new(actor).can_delete_user?(user).should == true end it "is false if user is an admin" do Guardian.new(actor).can_delete_user?(another_admin).should == false end it "is false if user's first post is too old" do user = Fabricate.build(:user, created_at: 100.days.ago) user.stubs(:first_post_created_at).returns(11.days.ago) SiteSetting.stubs(:delete_user_max_post_age).returns(10) Guardian.new(actor).can_delete_user?(user).should == false end end context "for moderators" do let(:actor) { moderator } include_examples "can_delete_user examples" end context "for admins" do let(:actor) { admin } include_examples "can_delete_user examples" end end describe "can_delete_all_posts?" do it "is false without a logged in user" do Guardian.new(nil).can_delete_all_posts?(user).should be_false end it "is false without a user to look at" do Guardian.new(admin).can_delete_all_posts?(nil).should be_false end it "is false for regular users" do Guardian.new(user).can_delete_all_posts?(coding_horror).should be_false end shared_examples "can_delete_all_posts examples" do it "is true if user has no posts" do SiteSetting.stubs(:delete_user_max_post_age).returns(10) Guardian.new(actor).can_delete_all_posts?(Fabricate(:user, created_at: 100.days.ago)).should be_true end it "is true if user's first post is newer than delete_user_max_post_age days old" do user = Fabricate(:user, created_at: 100.days.ago) user.stubs(:first_post_created_at).returns(9.days.ago) SiteSetting.stubs(:delete_user_max_post_age).returns(10) Guardian.new(actor).can_delete_all_posts?(user).should be_true end it "is false if user's first post is older than delete_user_max_post_age days old" do user = Fabricate(:user, created_at: 100.days.ago) user.stubs(:first_post_created_at).returns(11.days.ago) SiteSetting.stubs(:delete_user_max_post_age).returns(10) Guardian.new(actor).can_delete_all_posts?(user).should be_false end it "is false if user is an admin" do Guardian.new(actor).can_delete_all_posts?(admin).should be_false end it "is true if number of posts is small" do u = Fabricate(:user, created_at: 1.day.ago) u.stubs(:post_count).returns(1) SiteSetting.stubs(:delete_all_posts_max).returns(10) Guardian.new(actor).can_delete_all_posts?(u).should be_true end it "is false if number of posts is not small" do u = Fabricate(:user, created_at: 1.day.ago) u.stubs(:post_count).returns(11) SiteSetting.stubs(:delete_all_posts_max).returns(10) Guardian.new(actor).can_delete_all_posts?(u).should be_false end end context "for moderators" do let(:actor) { moderator } include_examples "can_delete_all_posts examples" end context "for admins" do let(:actor) { admin } include_examples "can_delete_all_posts examples" end end describe 'can_grant_title?' do it 'is false without a logged in user' do Guardian.new(nil).can_grant_title?(user).should be_false end it 'is false for regular users' do Guardian.new(user).can_grant_title?(user).should be_false end it 'is true for moderators' do Guardian.new(moderator).can_grant_title?(user).should be_true end it 'is true for admins' do Guardian.new(admin).can_grant_title?(user).should be_true end it 'is false without a user to look at' do Guardian.new(admin).can_grant_title?(nil).should be_false end end describe 'can_change_trust_level?' do it 'is false without a logged in user' do Guardian.new(nil).can_change_trust_level?(user).should be_false end it 'is false for regular users' do Guardian.new(user).can_change_trust_level?(user).should be_false end it 'is true for moderators' do Guardian.new(moderator).can_change_trust_level?(user).should be_true end it 'is true for admins' do Guardian.new(admin).can_change_trust_level?(user).should be_true end end describe "can_edit_username?" do it "is false without a logged in user" do Guardian.new(nil).can_edit_username?(build(:user, created_at: 1.minute.ago)).should be_false end it "is false for regular users to edit another user's username" do Guardian.new(build(:user)).can_edit_username?(build(:user, created_at: 1.minute.ago)).should be_false end shared_examples "staff can always change usernames" do it "is true for moderators" do Guardian.new(moderator).can_edit_username?(user).should be_true end it "is true for admins" do Guardian.new(admin).can_edit_username?(user).should be_true end end context 'for a new user' do let(:target_user) { Fabricate(:user, created_at: 1.minute.ago) } include_examples "staff can always change usernames" it "is true for the user to change their own username" do Guardian.new(target_user).can_edit_username?(target_user).should be_true end end context 'for an old user' do before do SiteSetting.stubs(:username_change_period).returns(3) end let(:target_user) { Fabricate(:user, created_at: 4.days.ago) } context 'with no posts' do include_examples "staff can always change usernames" it "is true for the user to change their own username" do Guardian.new(target_user).can_edit_username?(target_user).should be_true end end context 'with posts' do before { target_user.stubs(:post_count).returns(1) } include_examples "staff can always change usernames" it "is false for the user to change their own username" do Guardian.new(target_user).can_edit_username?(target_user).should be_false end end end context 'when editing is disabled in preferences' do before do SiteSetting.stubs(:username_change_period).returns(0) end include_examples "staff can always change usernames" it "is false for the user to change their own username" do Guardian.new(user).can_edit_username?(user).should be_false end end context 'when SSO username override is active' do before do SiteSetting.stubs(:enable_sso).returns(true) SiteSetting.stubs(:sso_overrides_username).returns(true) end it "is false for admins" do Guardian.new(admin).can_edit_username?(admin).should be_false end it "is false for moderators" do Guardian.new(moderator).can_edit_username?(moderator).should be_false end it "is false for users" do Guardian.new(user).can_edit_username?(user).should be_false end end end describe "can_edit_email?" do context 'when allowed in settings' do before do SiteSetting.stubs(:email_editable?).returns(true) end it "is false when not logged in" do Guardian.new(nil).can_edit_email?(build(:user, created_at: 1.minute.ago)).should be_false end it "is false for regular users to edit another user's email" do Guardian.new(build(:user)).can_edit_email?(build(:user, created_at: 1.minute.ago)).should be_false end it "is true for a regular user to edit their own email" do Guardian.new(user).can_edit_email?(user).should be_true end it "is true for moderators" do Guardian.new(moderator).can_edit_email?(user).should be_true end it "is true for admins" do Guardian.new(admin).can_edit_email?(user).should be_true end end context 'when not allowed in settings' do before do SiteSetting.stubs(:email_editable?).returns(false) end it "is false when not logged in" do Guardian.new(nil).can_edit_email?(build(:user, created_at: 1.minute.ago)).should be_false end it "is false for regular users to edit another user's email" do Guardian.new(build(:user)).can_edit_email?(build(:user, created_at: 1.minute.ago)).should be_false end it "is false for a regular user to edit their own email" do Guardian.new(user).can_edit_email?(user).should be_false end it "is false for admins" do Guardian.new(admin).can_edit_email?(user).should be_false end it "is false for moderators" do Guardian.new(moderator).can_edit_email?(user).should be_false end end context 'when SSO email override is active' do before do SiteSetting.stubs(:enable_sso).returns(true) SiteSetting.stubs(:sso_overrides_email).returns(true) end it "is false for admins" do Guardian.new(admin).can_edit_email?(admin).should be_false end it "is false for moderators" do Guardian.new(moderator).can_edit_email?(moderator).should be_false end it "is false for users" do Guardian.new(user).can_edit_email?(user).should be_false end end end describe 'can_edit_name?' do it 'is false without a logged in user' do Guardian.new(nil).can_edit_name?(build(:user, created_at: 1.minute.ago)).should be_false end it "is false for regular users to edit another user's name" do Guardian.new(build(:user)).can_edit_name?(build(:user, created_at: 1.minute.ago)).should be_false end context 'for a new user' do let(:target_user) { build(:user, created_at: 1.minute.ago) } it 'is true for the user to change their own name' do Guardian.new(target_user).can_edit_name?(target_user).should be_true end it 'is true for moderators' do Guardian.new(moderator).can_edit_name?(user).should be_true end it 'is true for admins' do Guardian.new(admin).can_edit_name?(user).should be_true end end context 'when name is disabled in preferences' do before do SiteSetting.stubs(:enable_names).returns(false) end it 'is false for the user to change their own name' do Guardian.new(user).can_edit_name?(user).should be_false end it 'is false for moderators' do Guardian.new(moderator).can_edit_name?(user).should be_false end it 'is false for admins' do Guardian.new(admin).can_edit_name?(user).should be_false end end context 'when name is enabled in preferences' do before do SiteSetting.stubs(:enable_names).returns(true) end context 'when SSO is disabled' do before do SiteSetting.stubs(:enable_sso).returns(false) SiteSetting.stubs(:sso_overrides_name).returns(false) end it 'is true for admins' do Guardian.new(admin).can_edit_name?(admin).should be_true end it 'is true for moderators' do Guardian.new(moderator).can_edit_name?(moderator).should be_true end it 'is true for users' do Guardian.new(user).can_edit_name?(user).should be_true end end context 'when SSO is enabled' do before do SiteSetting.stubs(:enable_sso).returns(true) end context 'when SSO name override is active' do before do SiteSetting.stubs(:sso_overrides_name).returns(true) end it 'is false for admins' do Guardian.new(admin).can_edit_name?(admin).should be_false end it 'is false for moderators' do Guardian.new(moderator).can_edit_name?(moderator).should be_false end it 'is false for users' do Guardian.new(user).can_edit_name?(user).should be_false end end context 'when SSO name override is not active' do before do SiteSetting.stubs(:sso_overrides_name).returns(false) end it 'is true for admins' do Guardian.new(admin).can_edit_name?(admin).should be_true end it 'is true for moderators' do Guardian.new(moderator).can_edit_name?(moderator).should be_true end it 'is true for users' do Guardian.new(user).can_edit_name?(user).should be_true end end end end end describe 'can_wiki?' do it 'returns false for regular user' do Guardian.new(coding_horror).can_wiki?.should be_false end it 'returns true for admin user' do Guardian.new(admin).can_wiki?.should be_true end it 'returns true for trust_level_4 user' do Guardian.new(trust_level_4).can_wiki?.should be_true end end end