From 885f1e7e5f89e11dc6127d9310ac3768b658b018 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Wed, 1 May 2019 14:48:49 -0400 Subject: [PATCH] FIX: Allow category group reviewers to edit queued posts They can edit title, body and tags. Category is disabled for now as it could lead to some odd security issues. --- app/models/reviewable_queued_post.rb | 7 +++++-- spec/models/reviewable_queued_post_spec.rb | 11 +++++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/app/models/reviewable_queued_post.rb b/app/models/reviewable_queued_post.rb index 30c854df507..2933dff09d2 100644 --- a/app/models/reviewable_queued_post.rb +++ b/app/models/reviewable_queued_post.rb @@ -36,11 +36,14 @@ class ReviewableQueuedPost < Reviewable end def build_editable_fields(fields, guardian, args) - return unless guardian.is_staff? # We can edit category / title if it's a new topic if topic_id.blank? - fields.add('category_id', :category) + + # Only staff can edit category for now, since in theory a category group reviewer could + # post in a category they don't have access to. + fields.add('category_id', :category) if guardian.is_staff? + fields.add('payload.title', :text) fields.add('payload.tags', :tags) end diff --git a/spec/models/reviewable_queued_post_spec.rb b/spec/models/reviewable_queued_post_spec.rb index 55076154f09..08478c6d57e 100644 --- a/spec/models/reviewable_queued_post_spec.rb +++ b/spec/models/reviewable_queued_post_spec.rb @@ -137,15 +137,22 @@ RSpec.describe ReviewableQueuedPost, type: :model do let(:reviewable) { Fabricate(:reviewable_queued_post_topic, category: category) } context "editing" do - let(:guardian) { Guardian.new(moderator) } it "is editable and returns the fields" do - fields = reviewable.editable_for(guardian) + fields = reviewable.editable_for(Guardian.new(moderator)) expect(fields.has?('category_id')).to eq(true) expect(fields.has?('payload.raw')).to eq(true) expect(fields.has?('payload.title')).to eq(true) expect(fields.has?('payload.tags')).to eq(true) end + + it "is editable by a category group reviewer" do + fields = reviewable.editable_for(Guardian.new(Fabricate(:user))) + expect(fields.has?('category_id')).to eq(false) + expect(fields.has?('payload.raw')).to eq(true) + expect(fields.has?('payload.title')).to eq(true) + expect(fields.has?('payload.tags')).to eq(true) + end end it "returns the appropriate create options for a topic" do