FIX: only staff can banner topics

app/assets/javascripts/discourse/templates/modal/feature-topic.hbs

@@ -110,37 +110,39 @@
       </div>
     </div>
   {{/if}}
-  <hr>
+  {{#if currentUser.staff}}
-  <div class="feature-section">
+    <hr>
-    <div class="desc">
+    <div class="feature-section">
-      <p>
+      <div class="desc">
-        {{#conditional-loading-spinner size="small" condition=loading}}
+        <p>
-          {{#if bannerCount}}
+          {{#conditional-loading-spinner size="small" condition=loading}}
-            {{{i18n "topic.feature_topic.banner_exists"}}}
+            {{#if bannerCount}}
+              {{{i18n "topic.feature_topic.banner_exists"}}}
+            {{else}}
+              {{{i18n "topic.feature_topic.no_banner_exists"}}}
+            {{/if}}
+          {{/conditional-loading-spinner}}
+        </p>
+        <p>
+          {{i18n "topic.feature_topic.banner_note"}}
+        </p>
+        <p>
+          {{#if model.isBanner}}
+            {{i18n "topic.feature_topic.remove_banner"}}
           {{else}}
-            {{{i18n "topic.feature_topic.no_banner_exists"}}}
+            {{i18n "topic.feature_topic.make_banner"}}
           {{/if}}
-        {{/conditional-loading-spinner}}
+        </p>
-      </p>
+        <p>
-      <p>
+          {{#if model.isBanner}}
-        {{i18n "topic.feature_topic.banner_note"}}
+            {{d-button action=(action "removeBanner") icon="thumb-tack" label="topic.feature.remove_banner" class="btn-primary"}}
-      </p>
+          {{else}}
-      <p>
+            {{d-button action=(action "makeBanner") icon="thumb-tack" label="topic.feature.make_banner" class="btn-primary"}}
-        {{#if model.isBanner}}
+          {{/if}}
-          {{i18n "topic.feature_topic.remove_banner"}}
+        </p>
-        {{else}}
+      </div>
-          {{i18n "topic.feature_topic.make_banner"}}
-        {{/if}}
-      </p>
-      <p>
-        {{#if model.isBanner}}
-          {{d-button action=(action "removeBanner") icon="thumb-tack" label="topic.feature.remove_banner" class="btn-primary"}}
-        {{else}}
-          {{d-button action=(action "makeBanner") icon="thumb-tack" label="topic.feature.make_banner" class="btn-primary"}}
-        {{/if}}
-      </p>
     </div>
-  </div>
+  {{/if}}
 {{/d-modal-body}}
 <div class="modal-footer">
   {{d-modal-cancel close=(route-action "closeModal")}}

app/controllers/topics_controller.rb

@@ -408,7 +408,7 @@ class TopicsController < ApplicationController
 
   def make_banner
     topic = Topic.find_by(id: params[:topic_id].to_i)
-    guardian.ensure_can_moderate!(topic)
+    guardian.ensure_can_banner_topic!(topic)
 
     topic.make_banner!(current_user)
 
@@ -417,7 +417,7 @@ class TopicsController < ApplicationController
 
   def remove_banner
     topic = Topic.find_by(id: params[:topic_id].to_i)
-    guardian.ensure_can_moderate!(topic)
+    guardian.ensure_can_banner_topic!(topic)
 
     topic.remove_banner!(current_user)
 

lib/guardian/topic_guardian.rb

@@ -154,4 +154,8 @@ module TopicGuardian
   def can_update_bumped_at?
     is_staff? || @user.has_trust_level?(TrustLevel[4])
   end
+
+  def can_banner_topic?(topic)
+    authenticated? && !topic.private_message? && is_staff?
+  end
 end

spec/requests/topics_controller_spec.rb

@@ -1907,8 +1907,8 @@ RSpec.describe TopicsController do
 
   describe '#make_banner' do
     it 'needs you to be a staff member' do
-      sign_in(Fabricate(:user))
+      topic = Fabricate(:topic, user: sign_in(Fabricate(:trust_level_4)))
-      put "/t/99/make-banner.json"
+      put "/t/#{topic.id}/make-banner.json"
       expect(response).to be_forbidden
     end
 
@@ -1926,8 +1926,8 @@ RSpec.describe TopicsController do
 
   describe '#remove_banner' do
     it 'needs you to be a staff member' do
-      sign_in(Fabricate(:user))
+      topic = Fabricate(:topic, user: sign_in(Fabricate(:trust_level_4)), archetype: Archetype.banner)
-      put "/t/99/remove-banner.json"
+      put "/t/#{topic.id}/remove-banner.json"
       expect(response).to be_forbidden
     end