FIX: do not allow normal users to wiki edit-expired posts

lib/guardian/post_guardian.rb

@@ -175,7 +175,14 @@ module PostGuardian
 
   def can_wiki?(post)
     return false unless authenticated?
-    is_staff? || @user.has_trust_level?(TrustLevel[4]) || (@user.has_trust_level?(SiteSetting.min_trust_to_allow_self_wiki) && is_my_own?(post))
+    return true if is_staff? || @user.has_trust_level?(TrustLevel[4])
+
+    if @user.has_trust_level?(SiteSetting.min_trust_to_allow_self_wiki) && is_my_own?(post)
+      return false if post.hidden?
+      return !post.edit_time_limit_expired?
+    end
+
+    false
   end
 
   def can_change_post_type?

spec/components/guardian_spec.rb

@@ -2098,7 +2098,7 @@ describe Guardian do
   end
 
   describe 'can_wiki?' do
-    let(:post) { build(:post) }
+    let(:post) { build(:post, created_at: 1.minute.ago) }
 
     it 'returns false for regular user' do
       expect(Guardian.new(coding_horror).can_wiki?(post)).to be_falsey
@@ -2127,5 +2127,25 @@ describe Guardian do
     it 'returns true for trust_level_4 user' do
       expect(Guardian.new(trust_level_4).can_wiki?(post)).to be_truthy
     end
+
+    context 'post is older than post_edit_time_limit' do
+      let(:old_post) { build(:post, user: trust_level_2, created_at: 6.minutes.ago) }
+      before do
+        SiteSetting.min_trust_to_allow_self_wiki = 2
+        SiteSetting.post_edit_time_limit = 5
+      end
+
+      it 'returns false when user satisfies trust level and owns the post' do
+        expect(Guardian.new(trust_level_2).can_wiki?(old_post)).to be_falsey
+      end
+
+      it 'returns true for admin user' do
+        expect(Guardian.new(admin).can_wiki?(old_post)).to be_truthy
+      end
+
+      it 'returns true for trust_level_4 user' do
+        expect(Guardian.new(trust_level_4).can_wiki?(post)).to be_truthy
+      end
+    end
   end
 end