FIX: access to category chat only when user can create post (#19488)

Previously, restricted category chat channel was available for all groups - even `readonly`. From now on, only user who belong to group with `create_post` or `full` permissions can access that chat channel.
2025-06-01 17:40:43 +08:00 · 2022-12-19 11:35:28 +11:00
parent 4adb457ced
commit 09d15d4c7f
21 changed files with 170 additions and 49 deletions
--- a/plugins/chat/spec/lib/guardian_extensions_spec.rb
+++ b/plugins/chat/spec/lib/guardian_extensions_spec.rb
@ -72,18 +72,18 @@ RSpec.describe Chat::GuardianExtensions do
      expect(staff_guardian.can_change_channel_status?(channel, :read_only)).to eq(true)
    end

-    describe "#can_see_chat_channel?" do
+    describe "#can_join_chat_channel?" do
      context "for direct message channels" do
        fab!(:chatable) { Fabricate(:direct_message) }
        fab!(:channel) { Fabricate(:direct_message_channel, chatable: chatable) }

        it "returns false if the user is not part of the direct message" do
-          expect(guardian.can_see_chat_channel?(channel)).to eq(false)
+          expect(guardian.can_join_chat_channel?(channel)).to eq(false)
        end

        it "returns true if the user is part of the direct message" do
          DirectMessageUser.create!(user: user, direct_message: chatable)
-          expect(guardian.can_see_chat_channel?(channel)).to eq(true)
+          expect(guardian.can_join_chat_channel?(channel)).to eq(true)
        end
      end

@ -92,15 +92,20 @@ RSpec.describe Chat::GuardianExtensions do

        before { channel.update(chatable: category) }

-        it "returns true if the user can see the category" do
-          expect(Guardian.new(user).can_see_chat_channel?(channel)).to eq(false)
-          group = Fabricate(:group)
-          CategoryGroup.create(group: group, category: category)
-          GroupUser.create(group: group, user: user)
+        it "returns true if the user can join the category" do
+          guardian = Guardian.new(user)

-          # have to make a new instance of guardian because `user.secure_category_ids`
-          # is memoized there
-          expect(Guardian.new(user).can_see_chat_channel?(channel)).to eq(true)
+          readonly_group = Fabricate(:group)
+          CategoryGroup.create(group: readonly_group, category: category, permission_type: CategoryGroup.permission_types[:readonly])
+          GroupUser.create(group: readonly_group, user: user)
+
+          create_post_group = Fabricate(:group)
+          CategoryGroup.create(group: create_post_group, category: category, permission_type: CategoryGroup.permission_types[:create_post])
+
+          expect(guardian.can_join_chat_channel?(channel)).to eq(false)
+
+          GroupUser.create(group: create_post_group, user: user)
+          expect(guardian.can_join_chat_channel?(channel)).to eq(true)
        end
      end
    end