FIX: staff should not be able to PM groups that "Nobody" can message (#16163)

If a group's messageable_level is set to nobody then staff can't should not be able to send PMs to it. Co-authored-by: Martin Brennan <martin@discourse.org>
2025-02-25 18:55:32 -06:00 · 2022-03-22 05:53:14 +05:30
parent 31bc756037
commit 8a9a7a77d8
3 changed files with 12 additions and 9 deletions
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@@ -47,6 +47,9 @@ class Guardian
    def silenced?
      false
    end
+    def is_system_user?
+      false
+    end
    def secure_category_ids
      []
    end
@@ -422,6 +425,7 @@ class Guardian
  def can_send_private_message?(target, notify_moderators: false)
    is_user = target.is_a?(User)
    is_group = target.is_a?(Group)
+    from_system = @user.is_system_user?

    (is_group || is_user) &&
    # User is authenticated
@@ -435,7 +439,7 @@ class Guardian
    # Can't send PMs to suspended users
    (is_staff? || is_group || !target.suspended?) &&
    # Check group messageable level
-    (is_staff? || is_user || Group.messageable(@user).where(id: target.id).exists? || notify_moderators) &&
+    (from_system || is_user || Group.messageable(@user).where(id: target.id).exists? || notify_moderators) &&
    # Silenced users can only send PM to staff
    (!is_silenced? || target.staff?)
  end