From dee35b72f22856ce5d775de8f8663e7fa520d65a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Tue, 27 Feb 2018 00:19:44 +0100
Subject: [PATCH] FIX: must be able to post in a topic in order to vote on a
 poll

---
 plugins/poll/plugin.rb                            |  5 +++++
 .../spec/controllers/polls_controller_spec.rb     | 15 +++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/plugins/poll/plugin.rb b/plugins/poll/plugin.rb
index 017ea72a81a..e1434343741 100644
--- a/plugins/poll/plugin.rb
+++ b/plugins/poll/plugin.rb
@@ -47,6 +47,11 @@ after_initialize do
             raise StandardError.new I18n.t("poll.topic_must_be_open_to_vote")
           end
 
+          # user must be allowed to post in topic
+          unless Guardian.new(user).can_create_post?(post.topic)
+            raise StandardError.new I18n.t("poll.user_cant_post_in_topic")
+          end
+
           polls = post.custom_fields[DiscoursePoll::POLLS_CUSTOM_FIELD]
 
           raise StandardError.new I18n.t("poll.no_polls_associated_with_this_post") if polls.blank?
diff --git a/plugins/poll/spec/controllers/polls_controller_spec.rb b/plugins/poll/spec/controllers/polls_controller_spec.rb
index c9f353862e9..390d342f13b 100644
--- a/plugins/poll/spec/controllers/polls_controller_spec.rb
+++ b/plugins/poll/spec/controllers/polls_controller_spec.rb
@@ -55,6 +55,7 @@ describe ::DiscoursePoll::PollsController do
 
     it "works even if topic is closed" do
       topic.update_attribute(:closed, true)
+
       put :vote, params: {
         post_id: poll.id, poll_name: "poll", options: ["5c24fc1df56d764b550ceae1b9319125"]
       }, format: :json
@@ -64,6 +65,7 @@ describe ::DiscoursePoll::PollsController do
 
     it "ensures topic is not archived" do
       topic.update_attribute(:archived, true)
+
       put :vote, params: {
         post_id: poll.id, poll_name: "poll", options: ["A"]
       }, format: :json
@@ -75,6 +77,7 @@ describe ::DiscoursePoll::PollsController do
 
     it "ensures post is not trashed" do
       poll.trash!
+
       put :vote, params: {
         post_id: poll.id, poll_name: "poll", options: ["A"]
       }, format: :json
@@ -84,6 +87,18 @@ describe ::DiscoursePoll::PollsController do
       expect(json["errors"][0]).to eq(I18n.t("poll.post_is_deleted"))
     end
 
+    it "ensures user can post in topic" do
+      Guardian.any_instance.expects(:can_create_post?).returns(false)
+
+      put :vote, params: {
+        post_id: poll.id, poll_name: "poll", options: ["A"]
+      }, format: :json
+
+      expect(response).not_to be_success
+      json = ::JSON.parse(response.body)
+      expect(json["errors"][0]).to eq(I18n.t("poll.user_cant_post_in_topic"))
+    end
+
     it "ensures polls are associated with the post" do
       put :vote, params: {
         post_id: Fabricate(:post).id, poll_name: "foobar", options: ["A"]