FIX: Make ChatMessageUpdater check editing access for guardian (#18902)

Follow up to 766bcbc6840c9d665055441bcd77616b3a96e10e This fixes a gaffe from that commit where I passed in the guardian to ChatMessageUpdater but then forgot to remove the old way of setting the guardian and user instance variables from the chat_message that was passed in. Also, it moves the ensure_can_edit_message! check from the controller into ChatMessageUpdater so all the access checks are in the same place.
2025-05-23 23:31:18 +08:00 · 2022-11-08 09:04:18 +10:00
parent 20dc27232e
commit c66743ee3d
4 changed files with 18 additions and 14 deletions
--- a/plugins/chat/lib/chat_message_updater.rb
+++ b/plugins/chat/lib/chat_message_updater.rb
@ -15,8 +15,6 @@ class Chat::ChatMessageUpdater
    @chat_message = chat_message
    @old_message_content = chat_message.message
    @chat_channel = @chat_message.chat_channel
-    @user = @chat_message.user
-    @guardian = Guardian.new(@user)
    @new_content = new_content
    @upload_ids = upload_ids
    @error = nil
@ -25,6 +23,7 @@ class Chat::ChatMessageUpdater
  def update
    begin
      validate_channel_status!
+      @guardian.ensure_can_edit_chat!(@chat_message)
      @chat_message.message = @new_content
      @chat_message.last_editor_id = @user.id
      upload_info = get_upload_info
@ -48,10 +47,6 @@ class Chat::ChatMessageUpdater

  private

-  # TODO (martin) Since we have guardian here now we should move
-  # guardian.ensure_can_edit_chat!(@message) from the controller into
-  # this class.
-
  def validate_channel_status!
    return if @guardian.can_modify_channel_message?(@chat_channel)
    raise StandardError.new(