SECURITY: Respect topic permissions when loading draft metadata

Co-authored-by: Sam Saffron <sam.saffron@gmail.com>

spec/models/draft_spec.rb

@@ -8,6 +8,10 @@ describe Draft do
     Fabricate(:user)
   end
 
+  fab!(:post) do
+    Fabricate(:post)
+  end
+
   context 'backup_drafts_to_pm_length' do
     it "correctly backs up drafts to a personal message" do
       SiteSetting.backup_drafts_to_pm_length = 1
@@ -111,7 +115,6 @@ describe Draft do
   end
 
   it 'can cleanup old drafts' do
-    user = Fabricate(:user)
     key = Draft::NEW_TOPIC
 
     Draft.set(user, key, 0, 'draft')
@@ -164,39 +167,35 @@ describe Draft do
     it "should include the right draft username in the stream" do
       Draft.set(user, "topic_#{public_topic.id}", 0, '{"reply":"hey"}')
       draft_row = stream.first
-      expect(draft_row.draft_username).to eq(user.username)
+      expect(draft_row.user.username).to eq(user.username)
     end
 
   end
 
   context 'key expiry' do
     it 'nukes new topic draft after a topic is created' do
-      u = Fabricate(:user)
-      Draft.set(u, Draft::NEW_TOPIC, 0, 'my draft')
-      _t = Fabricate(:topic, user: u)
-      s = DraftSequence.current(u, Draft::NEW_TOPIC)
-      expect(Draft.get(u, Draft::NEW_TOPIC, s)).to eq nil
+      Draft.set(user, Draft::NEW_TOPIC, 0, 'my draft')
+      _t = Fabricate(:topic, user: user)
+      s = DraftSequence.current(user, Draft::NEW_TOPIC)
+      expect(Draft.get(user, Draft::NEW_TOPIC, s)).to eq nil
       expect(Draft.count).to eq 0
     end
 
     it 'nukes new pm draft after a pm is created' do
-      u = Fabricate(:user)
-      Draft.set(u, Draft::NEW_PRIVATE_MESSAGE, 0, 'my draft')
-      t = Fabricate(:topic, user: u, archetype: Archetype.private_message, category_id: nil)
+      Draft.set(user, Draft::NEW_PRIVATE_MESSAGE, 0, 'my draft')
+      t = Fabricate(:topic, user: user, archetype: Archetype.private_message, category_id: nil)
       s = DraftSequence.current(t.user, Draft::NEW_PRIVATE_MESSAGE)
-      expect(Draft.get(u, Draft::NEW_PRIVATE_MESSAGE, s)).to eq nil
+      expect(Draft.get(user, Draft::NEW_PRIVATE_MESSAGE, s)).to eq nil
     end
 
     it 'does not nuke new topic draft after a pm is created' do
-      u = Fabricate(:user)
-      Draft.set(u, Draft::NEW_TOPIC, 0, 'my draft')
-      t = Fabricate(:topic, user: u, archetype: Archetype.private_message, category_id: nil)
+      Draft.set(user, Draft::NEW_TOPIC, 0, 'my draft')
+      t = Fabricate(:topic, user: user, archetype: Archetype.private_message, category_id: nil)
       s = DraftSequence.current(t.user, Draft::NEW_TOPIC)
-      expect(Draft.get(u, Draft::NEW_TOPIC, s)).to eq 'my draft'
+      expect(Draft.get(user, Draft::NEW_TOPIC, s)).to eq 'my draft'
     end
 
     it 'nukes the post draft when a post is created' do
-      user = Fabricate(:user)
       topic = Fabricate(:topic)
 
       Draft.set(user, topic.draft_key, 0, 'hello')
@@ -207,23 +206,20 @@ describe Draft do
     end
 
     it 'nukes the post draft when a post is revised' do
-      p = Fabricate(:post)
-      Draft.set(p.user, p.topic.draft_key, 0, 'hello')
-      p.revise(p.user, raw: 'another test')
-      s = DraftSequence.current(p.user, p.topic.draft_key)
-      expect(Draft.get(p.user, p.topic.draft_key, s)).to eq nil
+      Draft.set(post.user, post.topic.draft_key, 0, 'hello')
+      post.revise(post.user, raw: 'another test')
+      s = DraftSequence.current(post.user, post.topic.draft_key)
+      expect(Draft.get(post.user, post.topic.draft_key, s)).to eq nil
     end
 
     it 'increases revision each time you set' do
-      u = User.first
-      Draft.set(u, 'new_topic', 0, 'hello')
-      Draft.set(u, 'new_topic', 0, 'goodbye')
+      Draft.set(user, 'new_topic', 0, 'hello')
+      Draft.set(user, 'new_topic', 0, 'goodbye')
 
-      expect(Draft.find_by(user_id: u.id, draft_key: 'new_topic').revisions).to eq(2)
+      expect(Draft.find_by(user_id: user.id, draft_key: 'new_topic').revisions).to eq(2)
     end
 
     it 'handles owner switching gracefully' do
-      user = Fabricate(:user)
       draft_seq = Draft.set(user, 'new_topic', 0, 'hello', _owner = 'ABCDEF')
       expect(draft_seq).to eq(0)
 
@@ -233,5 +229,20 @@ describe Draft do
       draft_seq = Draft.set(user, 'new_topic', 1, 'hello world', _owner = 'HIJKL')
       expect(draft_seq).to eq(1)
     end
+
+    it 'can correctly preload drafts' do
+      Draft.set(user, "#{Draft::EXISTING_TOPIC}#{post.topic_id}", 0, { raw: 'hello', postId: post.id }.to_json)
+
+      drafts = Draft.where(user_id: user.id).to_a
+
+      Draft.preload_data(drafts, user)
+
+      expect(drafts[0].topic_preloaded?).to eq(true)
+      expect(drafts[0].topic.id).to eq(post.topic_id)
+
+      expect(drafts[0].post_preloaded?).to eq(true)
+      expect(drafts[0].post.id).to eq(post.id)
+    end
+
   end
 end