github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-31 13:07:54 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Require groups to be given when inviting to a restricted category. (#6715)

Browse Source
This commit is contained in:
Guo Xiang Tan
2018-12-05 23:43:07 +08:00
committed by Régis Hanol
parent 57ba4b7cb2
commit 978f0db109
12 changed files with 309 additions and 195 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
lib/guardian.rb
View File

@ -289,19 +289,25 @@ class Guardian
def can_invite_to?(object, groups = nil)
return false unless authenticated?
return true if is_admin?
is_topic = object.is_a?(Topic)
return true if is_admin? && !is_topic
return false if (SiteSetting.max_invites_per_day.to_i == 0 && !is_staff?)
return false unless can_see?(object)
return false if groups.present?
if object.is_a?(Topic) && object.private_message?
return false unless SiteSetting.enable_personal_messages?
return false if object.reached_recipients_limit? && !is_staff?
end
if is_topic
if object.private_message?
return true if is_admin?
return false unless SiteSetting.enable_personal_messages?
return false if object.reached_recipients_limit? && !is_staff?
end
if object.is_a?(Topic) && object.category
if object.category.groups.any?
return true if object.category.groups.all? { |g| can_edit_group?(g) }
if (category = object.category) && category.read_restricted
if (groups = category.groups&.where(automatic: false))&.any?
return groups.any? { |g| can_edit_group?(g) } ? true : false
else
return false
end
end
end