FIX: allows bots to create/update/stream messages (#26900)

Prior to this commit, only system users had this pass. Another significant change of the PR, is to make membership of a channel the angular stone of the permission check to create/update/stop streaming a message. The idea being, if you are a member of a channel already we don't need to check if you can join it AGAIN. We also have `Chat::AutoRemove::HandleCategoryUpdated` which will deal with permissions change so it's simpler and less prone to error to consider the membership as the only source of truth.
2025-06-02 04:08:41 +08:00 · 2024-05-07 15:17:42 +02:00
parent ba357dd6cc
commit 26c8eab1f3
15 changed files with 196 additions and 110 deletions
--- a/plugins/chat/lib/chat_sdk/message.rb
+++ b/plugins/chat/lib/chat_sdk/message.rb
@ -94,6 +94,9 @@ module ChatSDK
      with_service(Chat::StopMessageStreaming, message_id: message_id, guardian: guardian) do
        on_success { result.message }
        on_model_not_found(:message) { raise "Couldn't find message with id: `#{message_id}`" }
+        on_model_not_found(:membership) do
+          raise "Couldn't find membership for user with id: `#{guardian.user.id}`"
+        end
        on_failed_policy(:can_join_channel) do
          raise "User with id: `#{guardian.user.id}` can't join this channel"
        end
@ -132,8 +135,8 @@ module ChatSDK
          strip_whitespaces: strip_whitespaces,
        ) do
          on_model_not_found(:channel) { raise "Couldn't find channel with id: `#{channel_id}`" }
-          on_model_not_found(:channel_membership) do
-            raise "User with id: `#{guardian.user.id}` has no membership to this channel"
+          on_model_not_found(:membership) do
+            raise "Couldn't find membership for user with id: `#{guardian.user.id}`"
          end
          on_failed_policy(:ensure_valid_thread_for_channel) do
            raise "Couldn't find thread with id: `#{thread_id}`"