FIX: trust level 3 should not be able to edit topics in categories that restrict them from doing so

2024-11-27 17:46:05 -05:00 · 2016-06-01 15:41:56 -04:00 · 2016-06-01 15:41:56 -04:00 · 0f8b4dcc86
commit 0f8b4dcc86
parent 672220c6d2
2 changed files with 12 additions and 0 deletions
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@ -36,6 +36,9 @@ module TopicGuardian
    return true if is_admin?
    return true if is_moderator? && can_create_post?(topic)
    # can't edit topics in secured categories where you don't have permission to create topics
    return false if !can_create_topic_on_category?(topic.category)
    # TL4 users can edit archived topics, but can not edit private messages
    return true if (topic.archived && !topic.private_message? && user.has_trust_level?(TrustLevel[4]) && can_create_post?(topic))
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -1086,6 +1086,15 @@ describe Guardian do
          expect(Guardian.new(moderator).can_edit?(post)).to eq(false)
          expect(Guardian.new(moderator).can_edit?(topic)).to eq(false)
        end
        it "returns false for trust level 3 if category is secured" do
          topic.category.set_permissions(everyone: :create_post, staff: :full)
          topic.category.save
          expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false)
          expect(Guardian.new(admin).can_edit?(topic)).to eq(true)
          expect(Guardian.new(moderator).can_edit?(topic)).to eq(true)
        end
      end
      context 'private message' do