github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-31 00:17:17 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: ensure users have permission when moving categories

Browse Source
This commit is contained in:
Sam
2018-03-02 12:13:04 +11:00
parent 4a7a371557
commit 75172024ca
9 changed files with 113 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/posts_controller.rb
View File

@ -200,6 +200,15 @@ class PostsController < ApplicationController
if post.is_first_post?
changes[:title] = params[:title] if params[:title]
changes[:category_id] = params[:post][:category_id] if params[:post][:category_id]
if changes[:category_id] && changes[:category_id].to_i != post.topic.category_id.to_i
category = Category.find_by(id: changes[:category_id])
if category || (changes[:category_id].to_i == 0)
guardian.ensure_can_create_topic_on_category!(category)
else
return render_json_error(I18n.t('category.errors.not_found'))
end
end
end
# We don't need to validate edits to small action posts by staff