From d03f6727b170f3d38da7cf545eae2ba09a4e9280 Mon Sep 17 00:00:00 2001
From: Krzysztof Kotlarek <kotlarek.krzysztof@gmail.com>
Date: Sat, 23 Dec 2023 21:31:46 +1100
Subject: [PATCH] FIX: TL3 can convert their post to a wiki (#25023)

A bug that allowed TL1 to convert other's posts to wiki.

The issue was introduced in this PR: https://github.com/discourse/discourse/pull/24999/files

The wiki can be created if a user is TL3 and it is their own post - default 3 for setting `SiteSetting.min_trust_to_allow_self_wiki`

In addition, a wiki can be created by staff and TL4 users for any post.
---
 lib/guardian/post_guardian.rb          | 2 +-
 spec/lib/guardian_spec.rb              | 2 --
 spec/requests/posts_controller_spec.rb | 1 -
 3 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb
index 68856e44981..bb6d0e16f98 100644
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@@ -330,7 +330,7 @@ module PostGuardian
 
   def can_wiki?(post)
     return false unless authenticated?
-    return true if is_staff? || @user.in_any_groups?(SiteSetting.edit_wiki_post_allowed_groups_map)
+    return true if is_staff? || @user.has_trust_level?(TrustLevel[4])
 
     if @user.has_trust_level?(SiteSetting.min_trust_to_allow_self_wiki) && is_my_own?(post)
       return false if post.hidden?
diff --git a/spec/lib/guardian_spec.rb b/spec/lib/guardian_spec.rb
index a3afe95130b..b0e776509ae 100644
--- a/spec/lib/guardian_spec.rb
+++ b/spec/lib/guardian_spec.rb
@@ -3639,8 +3639,6 @@ RSpec.describe Guardian do
   describe "can_wiki?" do
     let(:post) { Fabricate(:post, created_at: 1.minute.ago) }
 
-    before { SiteSetting.edit_wiki_post_allowed_groups = "14" }
-
     it "returns false for regular user" do
       expect(Guardian.new(coding_horror).can_wiki?(post)).to be_falsey
     end
diff --git a/spec/requests/posts_controller_spec.rb b/spec/requests/posts_controller_spec.rb
index 99216d471d2..27f1a89dc0c 100644
--- a/spec/requests/posts_controller_spec.rb
+++ b/spec/requests/posts_controller_spec.rb
@@ -709,7 +709,6 @@ RSpec.describe PostsController do
       end
 
       it "raises an error if the user doesn't have permission to wiki the post" do
-        SiteSetting.edit_wiki_post_allowed_groups = "14"
         put "/posts/#{post.id}/wiki.json", params: { wiki: "true" }
         expect(response).to be_forbidden
       end