FIX: Ensure moderators_manage_categories_and_groups is respected (#18884)

Currently, moderators are able to set primary group for users irrespective of the of the `moderators_manage_categories_and_groups` site setting value. This change updates Guardian implementation to honour it.
2025-06-05 14:07:30 +08:00 · 2022-11-11 11:06:05 +00:00
parent 4cd07627d5
commit 0b367216ae
6 changed files with 68 additions and 9 deletions
--- a/spec/requests/admin/users_controller_spec.rb
+++ b/spec/requests/admin/users_controller_spec.rb
@ -1052,7 +1052,31 @@ RSpec.describe Admin::UsersController do
    context "when logged in as a moderator" do
      before { sign_in(moderator) }

-      include_examples "primary group updates possible"
+      context "when moderators_manage_categories_and_groups site setting is enabled" do
+        before do
+          SiteSetting.moderators_manage_categories_and_groups = true
+        end
+
+        include_examples "primary group updates possible"
+      end
+
+      context "when moderators_manage_categories_and_groups site setting is disabled" do
+        before do
+          SiteSetting.moderators_manage_categories_and_groups = false
+        end
+
+        it "prevents setting primary group with a 403 response" do
+          group.add(another_user)
+          put "/admin/users/#{another_user.id}/primary_group.json", params: {
+            primary_group_id: group.id
+          }
+
+          expect(response.status).to eq(403)
+          expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
+          another_user.reload
+          expect(another_user.primary_group_id).to eq(nil)
+        end
+      end
    end

    context "when logged in as a non-staff user" do