FIX: Allow admins to change user ignore list (#16129)

Previously, if an admin user tried to add/remove users to another user's ignored list, it would be added to their own ignore list because the controller used current_user. Now for admins only a source_user_id parameter can be passed through, which will be used to ignore the target user for that source user.
2025-05-31 05:48:23 +08:00 · 2022-03-09 14:51:30 +10:00
parent efd8bb9008
commit ca93e5e68b
10 changed files with 100 additions and 29 deletions
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -2925,11 +2925,46 @@ describe UsersController do

      context 'when changing notification level to ignore' do
        it 'changes notification level to ignore' do
-          put "/u/#{another_user.username}/notification_level.json", params: { notification_level: "ignore" }
+          put "/u/#{another_user.username}/notification_level.json", params: {
+            notification_level: "ignore",
+            expiring_at: 3.days.from_now
+          }
+          expect(response.status).to eq(200)
          expect(MutedUser.count).to eq(0)
          expect(IgnoredUser.find_by(user_id: user.id, ignored_user_id: another_user.id)).to be_present
        end

+        it "allows admin to change the ignore status for a source user" do
+          ignored_user.destroy!
+          sign_in(Fabricate(:user, admin: true))
+          put "/u/#{another_user.username}/notification_level.json", params: {
+            notification_level: "ignore",
+            acting_user_id: user.id,
+            expiring_at: 3.days.from_now
+          }
+          expect(response.status).to eq(200)
+          expect(IgnoredUser.find_by(user_id: user.id, ignored_user_id: another_user.id)).to be_present
+        end
+
+        it "does not allow a regular user to change the ignore status for anyone but themself" do
+          ignored_user.destroy!
+          acting_user = Fabricate(:user)
+          put "/u/#{another_user.username}/notification_level.json", params: {
+            notification_level: "ignore",
+            acting_user_id: acting_user.id,
+            expiring_at: 3.days.from_now
+          }
+          expect(response.status).to eq(422)
+          expect(IgnoredUser.find_by(user_id: acting_user.id, ignored_user_id: another_user.id)).to eq(nil)
+
+          put "/u/#{another_user.username}/notification_level.json", params: {
+            notification_level: "ignore",
+            expiring_at: 3.days.from_now
+          }
+          expect(response.status).to eq(200)
+          expect(IgnoredUser.find_by(user_id: user.id, ignored_user_id: another_user.id)).to be_present
+        end
+
        context 'when expiring_at param is set' do
          it 'changes notification level to ignore' do
            freeze_time(Time.now) do