FIX: Edit title respects min trust to edit post

This fix ensures that the site setting `post_edit_time_limit` does not bypass the limit of the site setting `min_trust_to_edit_post`. This prevents a bug where users that did not meet the minimum trust level to edit could edit the title of topics.
2025-03-22 09:45:32 +08:00 · 2020-02-04 16:28:35 -07:00 · 2020-02-04 16:28:35 -07:00 · 241d8f6452
commit 241d8f6452
parent 666a4be888
2 changed files with 10 additions and 1 deletions
--- a/app/models/concerns/limited_edit.rb
+++ b/app/models/concerns/limited_edit.rb
@ -5,7 +5,9 @@ module LimitedEdit

  def edit_time_limit_expired?(user)
    time_limit = user_time_limit(user)
-    if created_at && time_limit > 0
+    if user.trust_level < SiteSetting.min_trust_to_edit_post
+      true
+    elsif created_at && time_limit > 0
      created_at < time_limit.minutes.ago
    else
      false
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -1362,6 +1362,13 @@ describe Guardian do
        expect(Guardian.new(trust_level_4).can_edit?(post)).to eq(false)
      end

+      it 'returns false when trying to edit a topic with no trust' do
+        SiteSetting.min_trust_to_edit_post = 2
+        post.user.trust_level = 1
+
+        expect(Guardian.new(topic.user).can_edit?(topic)).to be_falsey
+      end
+
      it 'returns false when trying to edit a post with no trust' do
        SiteSetting.min_trust_to_edit_post = 2
        post.user.trust_level = 1