IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: Guardian#can_remove_allowed_users? shouldn't break for ownerless topics

Browse Source 
A topic can outlive its original author. TopicGuardian should still work
in this situation.
This commit is contained in:
Daniel Waterworth 2020-06-19 10:04:05 +01:00
parent 3e161e372a
commit 9cf77372a2
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/guardian/topic_guardian.rb
View File

@ -5,7 +5,7 @@ module TopicGuardian
def can_remove_allowed_users?(topic, target_user = nil) def can_remove_allowed_users?(topic, target_user = nil)
is_staff? || is_staff? ||
(topic.user == user && user.has_trust_level?(TrustLevel[2])) || (topic.user == @user && @user.has_trust_level?(TrustLevel[2])) ||
( (
topic.allowed_users.count > 1 && topic.allowed_users.count > 1 &&
topic.user != target_user && topic.user != target_user &&

15
spec/components/guardian_spec.rb
View File

@ -3503,6 +3503,21 @@ describe Guardian do
end end
end end
end end
context "anonymous users" do
fab!(:topic) { Fabricate(:topic) }
it 'should be false' do
expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
end
it 'should be false when the topic does not have a user (for example because the user was removed)' do
DB.exec("UPDATE topics SET user_id=NULL WHERE id=#{topic.id}")
topic.reload
expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
end
end
end end
describe '#auth_token' do describe '#auth_token' do