FIX: Make ChatMessageUpdater check editing access for guardian (#18902)

Follow up to 766bcbc6840c9d665055441bcd77616b3a96e10e

This fixes a gaffe from that commit where I passed in the
guardian to ChatMessageUpdater but then forgot to remove
the old way of setting the guardian and user instance variables
from the chat_message that was passed in.

Also, it moves the ensure_can_edit_message! check from the
controller into ChatMessageUpdater so all the access
checks are in the same place.
This commit is contained in:
Martin Brennan
2022-11-08 09:04:18 +10:00
committed by GitHub
parent 20dc27232e
commit c66743ee3d
4 changed files with 18 additions and 14 deletions

View File

@ -532,7 +532,7 @@ RSpec.describe Chat::ChatController do
it "raises an invalid request" do
put "/chat/#{chat_channel.id}/edit/#{chat_message.id}.json", params: { new_message: "Hi" }
expect(response.status).to eq(403)
expect(response.status).to eq(422)
end
end
@ -540,7 +540,7 @@ RSpec.describe Chat::ChatController do
sign_in(Fabricate(:user))
put "/chat/#{chat_channel.id}/edit/#{chat_message.id}.json", params: { new_message: "edit!" }
expect(response.status).to eq(403)
expect(response.status).to eq(422)
end
it "errors when staff tries to edit another user's message" do
@ -551,7 +551,7 @@ RSpec.describe Chat::ChatController do
params: {
new_message: new_message,
}
expect(response.status).to eq(403)
expect(response.status).to eq(422)
end
it "allows a user to edit their own messages" do