github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-18 06:42:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Regular users shouldn't be able to invite to PMs if disabled

Browse Source
This commit is contained in:
Robin Ward
2017-05-19 12:55:26 -04:00
parent c0c6cb8124
commit 28f486cb7a
2 changed files with 59 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/guardian.rb
View File

@ -232,10 +232,11 @@ class Guardian
end end
def can_invite_to?(object, group_ids=nil) def can_invite_to?(object, group_ids=nil)
return false if ! authenticated? return false unless authenticated?
return true if is_admin? return true if is_admin?
return false unless SiteSetting.enable_private_messages?
return false if (SiteSetting.max_invites_per_day.to_i == 0 && !is_staff?) return false if (SiteSetting.max_invites_per_day.to_i == 0 && !is_staff?)
return false if ! can_see?(object) return false unless can_see?(object)
return false if group_ids.present? return false if group_ids.present?
if object.is_a?(Topic) && object.category if object.is_a?(Topic) && object.category

83
spec/components/guardian_spec.rb
View File

@ -330,43 +330,72 @@ describe Guardian do
end end
describe 'can_invite_to?' do describe 'can_invite_to?' do
let(:group) { Fabricate(:group) }
let(:category) { Fabricate(:category, read_restricted: true) }
let(:topic) { Fabricate(:topic) }
let(:private_topic) { Fabricate(:topic, category: category) }
let(:user) { topic.user }
let(:moderator) { Fabricate(:moderator) }
let(:admin) { Fabricate(:admin) }
let(:private_category) { Fabricate(:private_category, group: group) }
let(:group_private_topic) { Fabricate(:topic, category: private_category) }
let(:group_owner) { group_private_topic.user.tap { |u| group.add_owner(u) } }
it 'handles invitation correctly' do describe "regular topics" do
expect(Guardian.new(nil).can_invite_to?(topic)).to be_falsey let(:group) { Fabricate(:group) }
expect(Guardian.new(moderator).can_invite_to?(nil)).to be_falsey let(:category) { Fabricate(:category, read_restricted: true) }
expect(Guardian.new(moderator).can_invite_to?(topic)).to be_truthy let(:topic) { Fabricate(:topic) }
expect(Guardian.new(user).can_invite_to?(topic)).to be_falsey let(:private_topic) { Fabricate(:topic, category: category) }
let(:user) { topic.user }
let(:moderator) { Fabricate(:moderator) }
let(:admin) { Fabricate(:admin) }
let(:private_category) { Fabricate(:private_category, group: group) }
let(:group_private_topic) { Fabricate(:topic, category: private_category) }
let(:group_owner) { group_private_topic.user.tap { |u| group.add_owner(u) } }
let(:pm) { Fabricate(:topic) }
SiteSetting.max_invites_per_day = 0 it 'handles invitation correctly' do
expect(Guardian.new(nil).can_invite_to?(topic)).to be_falsey
expect(Guardian.new(moderator).can_invite_to?(nil)).to be_falsey
expect(Guardian.new(moderator).can_invite_to?(topic)).to be_truthy
expect(Guardian.new(user).can_invite_to?(topic)).to be_falsey
expect(Guardian.new(user).can_invite_to?(topic)).to be_falsey SiteSetting.max_invites_per_day = 0
# staff should be immune to max_invites_per_day setting
expect(Guardian.new(moderator).can_invite_to?(topic)).to be_truthy expect(Guardian.new(user).can_invite_to?(topic)).to be_falsey
# staff should be immune to max_invites_per_day setting
expect(Guardian.new(moderator).can_invite_to?(topic)).to be_truthy
end
it 'returns false for normal user on private topic' do
expect(Guardian.new(user).can_invite_to?(private_topic)).to be_falsey
end
it 'returns true for admin on private topic' do
expect(Guardian.new(admin).can_invite_to?(private_topic)).to be_truthy
end
it 'returns true for a group owner' do
expect(Guardian.new(group_owner).can_invite_to?(group_private_topic)).to be_truthy
end
end end
it 'returns false for normal user on private topic' do describe "private messages" do
expect(Guardian.new(user).can_invite_to?(private_topic)).to be_falsey let(:user) { Fabricate(:user, trust_level: TrustLevel[2]) }
end let!(:pm) { Fabricate(:private_message_topic, user: user) }
let(:admin) { Fabricate(:admin) }
it 'returns true for admin on private topic' do context "when private messages are disabled" do
expect(Guardian.new(admin).can_invite_to?(private_topic)).to be_truthy it "allows an admin to invite to the pm" do
end expect(Guardian.new(admin).can_invite_to?(pm)).to be_truthy
expect(Guardian.new(user).can_invite_to?(pm)).to be_truthy
end
end
it 'returns true for a group owner' do context "when private messages are disabled" do
expect(Guardian.new(group_owner).can_invite_to?(group_private_topic)).to be_truthy before do
SiteSetting.enable_private_messages = false
end
it "doesn't allow a regular user to invite" do
expect(Guardian.new(admin).can_invite_to?(pm)).to be_truthy
expect(Guardian.new(user).can_invite_to?(pm)).to be_falsey
end
end
end end
end end
describe 'can_invite_via_email?' do describe 'can_invite_via_email?' do
it 'returns true for all (tl2 and above) users when sso is disabled, local logins are enabled, user approval is not required' do it 'returns true for all (tl2 and above) users when sso is disabled, local logins are enabled, user approval is not required' do
expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_truthy expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_truthy