From 241d8f6452d202cbdcef44032ea725c2e76492ca Mon Sep 17 00:00:00 2001 From: Blake Erickson Date: Tue, 4 Feb 2020 16:28:35 -0700 Subject: [PATCH] FIX: Edit title respects min trust to edit post This fix ensures that the site setting `post_edit_time_limit` does not bypass the limit of the site setting `min_trust_to_edit_post`. This prevents a bug where users that did not meet the minimum trust level to edit could edit the title of topics. --- app/models/concerns/limited_edit.rb | 4 +++- spec/components/guardian_spec.rb | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/app/models/concerns/limited_edit.rb b/app/models/concerns/limited_edit.rb index bfd21392b5b..e434565db3f 100644 --- a/app/models/concerns/limited_edit.rb +++ b/app/models/concerns/limited_edit.rb @@ -5,7 +5,9 @@ module LimitedEdit def edit_time_limit_expired?(user) time_limit = user_time_limit(user) - if created_at && time_limit > 0 + if user.trust_level < SiteSetting.min_trust_to_edit_post + true + elsif created_at && time_limit > 0 created_at < time_limit.minutes.ago else false diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb index 8aa4e497378..8f0a454be45 100644 --- a/spec/components/guardian_spec.rb +++ b/spec/components/guardian_spec.rb @@ -1362,6 +1362,13 @@ describe Guardian do expect(Guardian.new(trust_level_4).can_edit?(post)).to eq(false) end + it 'returns false when trying to edit a topic with no trust' do + SiteSetting.min_trust_to_edit_post = 2 + post.user.trust_level = 1 + + expect(Guardian.new(topic.user).can_edit?(topic)).to be_falsey + end + it 'returns false when trying to edit a post with no trust' do SiteSetting.min_trust_to_edit_post = 2 post.user.trust_level = 1