FIX: access to category chat only when user can create post (#19488)

Previously, restricted category chat channel was available for all groups - even `readonly`. From now on, only user who belong to group with `create_post` or `full` permissions can access that chat channel.
2025-05-30 15:28:37 +08:00 · 2022-12-19 11:35:28 +11:00
parent 4adb457ced
commit 09d15d4c7f
21 changed files with 170 additions and 49 deletions
--- a/plugins/chat/spec/requests/chat_controller_spec.rb
+++ b/plugins/chat/spec/requests/chat_controller_spec.rb
@ -247,7 +247,7 @@ RSpec.describe Chat::ChatController do
      let(:channel) { Fabricate(:category_channel, chatable: category) }

      it "ensures created channel can be seen" do
-        Guardian.any_instance.expects(:can_see_chat_channel?).with(channel)
+        Guardian.any_instance.expects(:can_join_chat_channel?).with(channel)

        sign_in(admin)
        post "/chat/enable.json", params: { chatable_type: "category", chatable_id: category.id }
@ -255,7 +255,7 @@ RSpec.describe Chat::ChatController do

      # TODO: rewrite specs to ensure no exception is raised
      it "ensures existing channel can be seen" do
-        Guardian.any_instance.expects(:can_see_chat_channel?)
+        Guardian.any_instance.expects(:can_join_chat_channel?)

        sign_in(admin)
        post "/chat/enable.json", params: { chatable_type: "category", chatable_id: category.id }
@ -270,7 +270,7 @@ RSpec.describe Chat::ChatController do
        channel = Fabricate(:category_channel, chatable: category)
        message = Fabricate(:chat_message, chat_channel: channel)

-        Guardian.any_instance.expects(:can_see_chat_channel?).with(channel)
+        Guardian.any_instance.expects(:can_join_chat_channel?).with(channel)

        sign_in(admin)
        post "/chat/disable.json", params: { chatable_type: "category", chatable_id: category.id }
@ -1137,6 +1137,8 @@ RSpec.describe Chat::ChatController do

    it "returns a 403 if the user can't see the channel" do
      category.update!(read_restricted: true)
+      group = Fabricate(:group)
+      CategoryGroup.create(group: group, category: category, permission_type: CategoryGroup.permission_types[:create_post])
      sign_in(user)
      post "/chat/#{channel.id}/quote.json",
           params: {
@ -1310,7 +1312,7 @@ RSpec.describe Chat::ChatController do
      channel = Fabricate(:category_channel, chatable: Fabricate(:category))
      message = Fabricate(:chat_message, chat_channel: channel)

-      Guardian.any_instance.expects(:can_see_chat_channel?).with(channel)
+      Guardian.any_instance.expects(:can_join_chat_channel?).with(channel)

      sign_in(Fabricate(:user))
      get "/chat/message/#{message.id}.json"
@ -1326,7 +1328,7 @@ RSpec.describe Chat::ChatController do
    before { sign_in(user) }

    it "ensures message's channel can be seen" do
-      Guardian.any_instance.expects(:can_see_chat_channel?).with(channel)
+      Guardian.any_instance.expects(:can_join_chat_channel?).with(channel)
      get "/chat/lookup/#{message.id}.json", { params: { chat_channel_id: channel.id } }
    end