github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-04 10:24:39 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: ensure users have permission when moving categories

Browse Source
This commit is contained in:
Sam
2018-03-02 12:13:04 +11:00
parent 4a7a371557
commit 75172024ca
9 changed files with 113 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/topics_controller.rb
View File

@ -226,6 +226,15 @@ class TopicsController < ApplicationController
topic = Topic.find_by(id: params[:topic_id])
guardian.ensure_can_edit!(topic)
if params[:category_id] && (params[:category_id].to_i != topic.category_id.to_i)
category = Category.find_by(id: params[:category_id])
if category || (params[:category_id].to_i == 0)
guardian.ensure_can_create_topic_on_category!(category)
else
return render_json_error(I18n.t('category.errors.not_found'))
end
end
changes = {}
PostRevisor.tracked_topic_fields.each_key do |f|
changes[f] = params[f] if params.has_key?(f)