github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 15:14:16 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

BUGFIX: could not see the revisions of a post in a deleted topic

Browse Source
This commit is contained in:
Régis Hanol
2014-05-12 16:30:10 +02:00
parent 312bc6bff9
commit fca6738212
5 changed files with 34 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/controllers/posts_controller.rb
View File

@ -192,7 +192,6 @@ class PostsController < ApplicationController
def revisions def revisions
post_revision = find_post_revision_from_params post_revision = find_post_revision_from_params
guardian.ensure_can_see!(post_revision)
post_revision_serializer = PostRevisionSerializer.new(post_revision, scope: guardian, root: false) post_revision_serializer = PostRevisionSerializer.new(post_revision, scope: guardian, root: false)
render_json_dump(post_revision_serializer) render_json_dump(post_revision_serializer)
end end
@ -302,6 +301,8 @@ class PostsController < ApplicationController
# Include deleted posts if the user is staff # Include deleted posts if the user is staff
finder = finder.with_deleted if current_user.try(:staff?) finder = finder.with_deleted if current_user.try(:staff?)
post = finder.first post = finder.first
# load deleted topic
post.topic = Topic.with_deleted.find(post.topic_id) if current_user.try(:staff?)
guardian.ensure_can_see!(post) guardian.ensure_can_see!(post)
post post
end end

3
lib/guardian.rb
View File

@ -8,7 +8,7 @@ require_dependency 'guardian/user_guardian'
class Guardian class Guardian
include EnsureMagic include EnsureMagic
include CategoryGuardian include CategoryGuardian
include PostGuardain include PostGuardian
include TopicGuardian include TopicGuardian
include UserGuardian include UserGuardian
@ -23,6 +23,7 @@ class Guardian
def has_trust_level?(level); false; end def has_trust_level?(level); false; end
def email; nil; end def email; nil; end
end end
def initialize(user=nil) def initialize(user=nil)
@user = user.presence || AnonymousUser.new @user = user.presence || AnonymousUser.new
end end

12
lib/guardian/post_guardian.rb
View File

@ -1,9 +1,8 @@
#mixin for all guardian methods dealing with post permissions #mixin for all guardian methods dealing with post permissions
module PostGuardain module PostGuardian
# Can the user act on the post in a particular way. # Can the user act on the post in a particular way.
# taken_actions = the list of actions the user has already taken # taken_actions = the list of actions the user has already taken
def post_can_act?(post, action_key, opts={}) def post_can_act?(post, action_key, opts={})
taken = opts[:taken_actions].try(:keys).to_a taken = opts[:taken_actions].try(:keys).to_a
is_flag = PostActionType.is_flag?(action_key) is_flag = PostActionType.is_flag?(action_key)
already_taken_this_action = taken.any? && taken.include?(PostActionType.types[action_key]) already_taken_this_action = taken.any? && taken.include?(PostActionType.types[action_key])
@ -110,16 +109,17 @@ module PostGuardain
end end
def can_see_post_revision?(post_revision) def can_see_post_revision?(post_revision)
return false if post_revision.nil? return false unless post_revision
can_view_post_revisions?(post_revision.post) can_view_post_revisions?(post_revision.post)
end end
def can_view_post_revisions?(post) def can_view_post_revisions?(post)
return false if post.nil? return false unless post
return true if SiteSetting.edit_history_visible_to_public && !post.hidden return true if SiteSetting.edit_history_visible_to_public && !post.hidden
authenticated? && authenticated? &&
(is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) && (is_staff? || @user.has_trust_level?(:elder) || @user.id == post.user_id) &&
can_see_post?(post) can_see_post?(post)
end end
def can_vote?(post, opts={}) def can_vote?(post, opts={})

22
lib/guardian/topic_guardian.rb
View File

@ -45,20 +45,18 @@ module TopicGuardian
end end
def can_see_topic?(topic) def can_see_topic?(topic)
if topic return false unless topic
is_staff? || return true if is_staff?
return false if topic.deleted_at
topic.deleted_at.nil? && # NOTE
# At the moment staff can see PMs, there is some talk of restricting this, however
# we still need to allow staff to join PMs for the case of flagging ones
# not secure, or I can see it # not secure, or I can see it
(not(topic.read_restricted_category?) || can_see_category?(topic.category)) && (not(topic.read_restricted_category?) || can_see_category?(topic.category)) &&
# not private, or I am allowed (or is staff)
(not(topic.private_message?) || (authenticated? && (is_staff? || topic.all_allowed_users.where(id: @user.id).exists?)))
# NOTE
# At the moment staff can see PMs, there is some talk of restricting this, however
# we still need to allow staff to join PMs for the case of flagging ones
# not private, or I am allowed (or is staff)
(not(topic.private_message?) || authenticated? && (topic.all_allowed_users.where(id: @user.id).exists? || is_staff?))
end
end end
end end

14
spec/controllers/posts_controller_spec.rb
View File

@ -508,6 +508,20 @@ describe PostsController do
end end
end end
context "deleted topic" do
let(:admin) { log_in(:admin) }
let(:deleted_topic) { Fabricate(:topic, user: admin) }
let(:post) { Fabricate(:post, user: admin, topic: deleted_topic) }
let(:post_revision) { Fabricate(:post_revision, user: admin, post: post) }
before { deleted_topic.trash!(admin) }
it "also work on deleted topic" do
xhr :get, :revisions, post_id: post_revision.post_id, revision: post_revision.number
response.should be_success
end
end
end end
describe 'expandable embedded posts' do describe 'expandable embedded posts' do