From 9cf77372a2ebe830f91f143e0858f0a82e3aef37 Mon Sep 17 00:00:00 2001
From: Daniel Waterworth <me@danielwaterworth.com>
Date: Fri, 19 Jun 2020 10:04:05 +0100
Subject: [PATCH] FIX: Guardian#can_remove_allowed_users? shouldn't break for
 ownerless topics

A topic can outlive its original author. TopicGuardian should still work
in this situation.
---
 lib/guardian/topic_guardian.rb   |  2 +-
 spec/components/guardian_spec.rb | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/guardian/topic_guardian.rb b/lib/guardian/topic_guardian.rb
index 33f5d836f4a..842f44c0cf0 100644
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@@ -5,7 +5,7 @@ module TopicGuardian
 
   def can_remove_allowed_users?(topic, target_user = nil)
     is_staff? ||
-    (topic.user == user && user.has_trust_level?(TrustLevel[2])) ||
+    (topic.user == @user && @user.has_trust_level?(TrustLevel[2])) ||
     (
       topic.allowed_users.count > 1 &&
       topic.user != target_user &&
diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb
index 8927ea316ea..6c4ddd161f9 100644
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@@ -3503,6 +3503,21 @@ describe Guardian do
         end
       end
     end
+
+    context "anonymous users" do
+      fab!(:topic) { Fabricate(:topic) }
+
+      it 'should be false' do
+        expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
+      end
+
+      it 'should be false when the topic does not have a user (for example because the user was removed)' do
+        DB.exec("UPDATE topics SET user_id=NULL WHERE id=#{topic.id}")
+        topic.reload
+
+        expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
+      end
+    end
   end
 
   describe '#auth_token' do