github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-15 10:21:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Regular users shouldn't be able to invite to PMs if disabled

Browse Source
This commit is contained in:
Robin Ward
2017-05-19 12:55:26 -04:00
parent c0c6cb8124
commit 28f486cb7a
2 changed files with 59 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/guardian.rb
View File

@ -232,10 +232,11 @@ class Guardian
end end
def can_invite_to?(object, group_ids=nil) def can_invite_to?(object, group_ids=nil)
return false if ! authenticated? return false unless authenticated?
return true if is_admin? return true if is_admin?
return false unless SiteSetting.enable_private_messages?
return false if (SiteSetting.max_invites_per_day.to_i == 0 && !is_staff?) return false if (SiteSetting.max_invites_per_day.to_i == 0 && !is_staff?)
return false if ! can_see?(object) return false unless can_see?(object)
return false if group_ids.present? return false if group_ids.present?
if object.is_a?(Topic) && object.category if object.is_a?(Topic) && object.category

29
spec/components/guardian_spec.rb
View File

@ -330,6 +330,8 @@ describe Guardian do
end end
describe 'can_invite_to?' do describe 'can_invite_to?' do
describe "regular topics" do
let(:group) { Fabricate(:group) } let(:group) { Fabricate(:group) }
let(:category) { Fabricate(:category, read_restricted: true) } let(:category) { Fabricate(:category, read_restricted: true) }
let(:topic) { Fabricate(:topic) } let(:topic) { Fabricate(:topic) }
@ -340,6 +342,7 @@ describe Guardian do
let(:private_category) { Fabricate(:private_category, group: group) } let(:private_category) { Fabricate(:private_category, group: group) }
let(:group_private_topic) { Fabricate(:topic, category: private_category) } let(:group_private_topic) { Fabricate(:topic, category: private_category) }
let(:group_owner) { group_private_topic.user.tap { |u| group.add_owner(u) } } let(:group_owner) { group_private_topic.user.tap { |u| group.add_owner(u) } }
let(:pm) { Fabricate(:topic) }
it 'handles invitation correctly' do it 'handles invitation correctly' do
expect(Guardian.new(nil).can_invite_to?(topic)).to be_falsey expect(Guardian.new(nil).can_invite_to?(topic)).to be_falsey
@ -367,6 +370,32 @@ describe Guardian do
end end
end end
describe "private messages" do
let(:user) { Fabricate(:user, trust_level: TrustLevel[2]) }
let!(:pm) { Fabricate(:private_message_topic, user: user) }
let(:admin) { Fabricate(:admin) }
context "when private messages are disabled" do
it "allows an admin to invite to the pm" do
expect(Guardian.new(admin).can_invite_to?(pm)).to be_truthy
expect(Guardian.new(user).can_invite_to?(pm)).to be_truthy
end
end
context "when private messages are disabled" do
before do
SiteSetting.enable_private_messages = false
end
it "doesn't allow a regular user to invite" do
expect(Guardian.new(admin).can_invite_to?(pm)).to be_truthy
expect(Guardian.new(user).can_invite_to?(pm)).to be_falsey
end
end
end
end
describe 'can_invite_via_email?' do describe 'can_invite_via_email?' do
it 'returns true for all (tl2 and above) users when sso is disabled, local logins are enabled, user approval is not required' do it 'returns true for all (tl2 and above) users when sso is disabled, local logins are enabled, user approval is not required' do
expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_truthy expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_truthy