IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Users can only bookmark posts which they can see.

Browse Source
This commit is contained in:
Guo Xiang Tan
2016-12-21 12:01:26 +08:00
parent 1821a0933d
commit 5d7f3223f0
9 changed files with 91 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/controllers/post_actions_controller.rb
View File

@@ -7,8 +7,13 @@ class PostActionsController < ApplicationController
def create
taken = PostAction.counts_for([@post], current_user)[@post.id]
guardian.ensure_post_can_act!(@post, PostActionType.types[@post_action_type_id], taken_actions: taken)
guardian.ensure_post_can_act!(@post, PostActionType.types[@post_action_type_id], is_warning: params[:is_warning])
guardian.ensure_post_can_act!(
@post,
PostActionType.types[@post_action_type_id],
is_warning: params[:is_warning],
taken_actions: taken
)
args = {}
args[:message] = params[:message] if params[:message].present?
@@ -77,7 +82,6 @@ class PostActionsController < ApplicationController
finder = finder.with_deleted if guardian.is_staff?
@post = finder.first
guardian.ensure_can_see!(@post)
end
def fetch_post_action_type_id_from_params