FIX: Make ChatMessageUpdater check editing access for guardian (#18902)

Follow up to 766bcbc6840c9d665055441bcd77616b3a96e10e This fixes a gaffe from that commit where I passed in the guardian to ChatMessageUpdater but then forgot to remove the old way of setting the guardian and user instance variables from the chat_message that was passed in. Also, it moves the ensure_can_edit_message! check from the controller into ChatMessageUpdater so all the access checks are in the same place.
2025-05-30 07:11:34 +08:00 · 2022-11-08 09:04:18 +10:00
parent 20dc27232e
commit c66743ee3d
4 changed files with 18 additions and 14 deletions
--- a/plugins/chat/spec/requests/chat_controller_spec.rb
+++ b/plugins/chat/spec/requests/chat_controller_spec.rb
@ -532,7 +532,7 @@ RSpec.describe Chat::ChatController do

      it "raises an invalid request" do
        put "/chat/#{chat_channel.id}/edit/#{chat_message.id}.json", params: { new_message: "Hi" }
-        expect(response.status).to eq(403)
+        expect(response.status).to eq(422)
      end
    end

@ -540,7 +540,7 @@ RSpec.describe Chat::ChatController do
      sign_in(Fabricate(:user))

      put "/chat/#{chat_channel.id}/edit/#{chat_message.id}.json", params: { new_message: "edit!" }
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(422)
    end

    it "errors when staff tries to edit another user's message" do
@ -551,7 +551,7 @@ RSpec.describe Chat::ChatController do
          params: {
            new_message: new_message,
          }
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(422)
    end

    it "allows a user to edit their own messages" do