FIX: access to category chat only when user can create post (#19488)

Previously, restricted category chat channel was available for all groups - even `readonly`. From now on, only user who belong to group with `create_post` or `full` permissions can access that chat channel.
This commit is contained in:
Krzysztof Kotlarek
2022-12-19 11:35:28 +11:00
committed by GitHub
parent 4adb457ced
commit 09d15d4c7f
21 changed files with 170 additions and 49 deletions

View File

@ -72,18 +72,18 @@ RSpec.describe Chat::GuardianExtensions do
expect(staff_guardian.can_change_channel_status?(channel, :read_only)).to eq(true)
end
describe "#can_see_chat_channel?" do
describe "#can_join_chat_channel?" do
context "for direct message channels" do
fab!(:chatable) { Fabricate(:direct_message) }
fab!(:channel) { Fabricate(:direct_message_channel, chatable: chatable) }
it "returns false if the user is not part of the direct message" do
expect(guardian.can_see_chat_channel?(channel)).to eq(false)
expect(guardian.can_join_chat_channel?(channel)).to eq(false)
end
it "returns true if the user is part of the direct message" do
DirectMessageUser.create!(user: user, direct_message: chatable)
expect(guardian.can_see_chat_channel?(channel)).to eq(true)
expect(guardian.can_join_chat_channel?(channel)).to eq(true)
end
end
@ -92,15 +92,20 @@ RSpec.describe Chat::GuardianExtensions do
before { channel.update(chatable: category) }
it "returns true if the user can see the category" do
expect(Guardian.new(user).can_see_chat_channel?(channel)).to eq(false)
group = Fabricate(:group)
CategoryGroup.create(group: group, category: category)
GroupUser.create(group: group, user: user)
it "returns true if the user can join the category" do
guardian = Guardian.new(user)
# have to make a new instance of guardian because `user.secure_category_ids`
# is memoized there
expect(Guardian.new(user).can_see_chat_channel?(channel)).to eq(true)
readonly_group = Fabricate(:group)
CategoryGroup.create(group: readonly_group, category: category, permission_type: CategoryGroup.permission_types[:readonly])
GroupUser.create(group: readonly_group, user: user)
create_post_group = Fabricate(:group)
CategoryGroup.create(group: create_post_group, category: category, permission_type: CategoryGroup.permission_types[:create_post])
expect(guardian.can_join_chat_channel?(channel)).to eq(false)
GroupUser.create(group: create_post_group, user: user)
expect(guardian.can_join_chat_channel?(channel)).to eq(true)
end
end
end