IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Allow admins to delete reviewables via API (#21174)

Browse Source 
This PR adds the ability to destroy reviewables for a passed user via the API. This was not possible before as this action was reserved for reviewables for you created only.

If a user is an admin and calls the `#destroy` action from the API they are able to destroy a reviewable for a passed user. A user can be targeted by passed either their:
- username
- external_id (for SSO) 

to the request.

In the case you attempt to destroy a non-personal reviewable and
- You are not an admin
- You do not access the `#destroy` action via the API

you will raise a `Discourse::InvalidAccess` (403) and will not succeed in destroying the reviewable.
This commit is contained in:
Isaac Janzen
2023-04-20 09:38:41 -05:00
committed by GitHub
parent ba2adc7793
commit dd495a0e19
3 changed files with 84 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/guardian.rb
View File

@@ -232,7 +232,7 @@ class Guardian
end
def can_delete_reviewable_queued_post?(reviewable)
reviewable.present? && authenticated? && reviewable.created_by_id == @user.id
reviewable.present? && authenticated? && (reviewable.created_by_id == @user.id || @user.admin?)
end
def can_see_group?(group)