SECURITY: dissalow mods from seeing PMs

2024-11-23 01:16:38 -06:00 · 2014-02-07 14:24:19 +11:00 · 2014-02-07 14:24:19 +11:00 · d9c05fcfc8
commit d9c05fcfc8
parent 93434be16d
3 changed files with 11 additions and 3 deletions
--- a/app/assets/javascripts/discourse/controllers/user_controller.js
+++ b/app/assets/javascripts/discourse/controllers/user_controller.js
@ -15,7 +15,7 @@ Discourse.UserController = Discourse.ObjectController.extend({
  collapsedInfo: Em.computed.not('indexStream'),

  canSeePrivateMessages: function() {
-    return this.get('viewingSelf') || Discourse.User.currentProp('staff');
+    return this.get('viewingSelf') || Discourse.User.currentProp('admin');
  }.property('viewingSelf'),

  privateMessageView: function() {
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -13,6 +13,7 @@ class Guardian
    def blank?; true; end
    def admin?; false; end
    def staff?; false; end
+    def moderator?; false; end
    def approved?; false; end
    def secure_category_ids; []; end
    def topic_create_allowed_category_ids; []; end
@ -44,6 +45,10 @@ class Guardian
    @user.staff?
  end

+  def is_moderator?
+    @user.moderator?
+  end
+
  def is_developer?
    @user &&
    is_admin? &&
@ -172,7 +177,7 @@ class Guardian
  end

  def can_see_private_messages?(user_id)
-    is_staff? || (authenticated? && @user.id == user_id)
+    is_admin? || (authenticated? && @user.id == user_id)
  end

  def can_edit_user?(user)
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@ -100,7 +100,10 @@ module PostGuardain
  end

  def can_see_post?(post)
-    post.present? && (is_staff? || (!post.deleted_at.present? && can_see_topic?(post.topic)))
+    post.present? &&
+      (is_admin? ||
+      ((is_moderator? || !post.deleted_at.present?) &&
+        can_see_topic?(post.topic)))
  end

  def can_see_post_revision?(post_revision)