IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: Change is_staff to is_admin to match other places where guardian.allowed_category_ids is used

Browse Source 
https://meta.discourse.org/t/security-permissions-and-messages-displayed-on-group-url/22169/17
This commit is contained in:
cpradio
2014-11-16 20:31:16 -05:00
parent 22fa46b1f2
commit bf7be0c130
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/group.rb
View File

@@ -42,7 +42,7 @@ class Group < ActiveRecord::Base
.where('topics.archetype <> ?', Archetype.private_message) .where('topics.archetype <> ?', Archetype.private_message)
.where(post_type: Post.types[:regular]) .where(post_type: Post.types[:regular])
unless guardian.is_staff? unless guardian.is_admin?
allowed_ids = guardian.allowed_category_ids allowed_ids = guardian.allowed_category_ids
if allowed_ids.length > 0 if allowed_ids.length > 0
result = result.where('topics.category_id IS NULL or topics.category_id IN (?)', allowed_ids) result = result.where('topics.category_id IS NULL or topics.category_id IN (?)', allowed_ids)