diff --git a/lib/guardian.rb b/lib/guardian.rb index 67496f95b41..8d82d94df8a 100644 --- a/lib/guardian.rb +++ b/lib/guardian.rb @@ -640,16 +640,6 @@ class Guardian private def is_my_own?(obj) - # NOTE: This looks strange...but we are checking if someone is posting anonymously - # as a AnonymousUser model, _not_ as Guardian::AnonymousUser which is a different thing - # used when !authenticated? - if authenticated? && is_anonymous? - return( - SiteSetting.allow_anonymous_likes? && obj.class == PostAction && obj.is_like? && - obj.user_id == @user.id - ) - end - return false if anonymous? return obj.user_id == @user.id if obj.respond_to?(:user_id) && obj.user_id && @user.id return obj.user == @user if obj.respond_to?(:user) diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb index ad507f17d8d..809efcf74de 100644 --- a/lib/guardian/post_guardian.rb +++ b/lib/guardian/post_guardian.rb @@ -261,8 +261,21 @@ module PostGuardian def can_delete_post_action?(post_action) return false unless is_my_own?(post_action) && !post_action.is_private_message? - post_action.created_at > SiteSetting.post_undo_action_window_mins.minutes.ago && - !post_action.post&.topic&.archived? + ok_to_delete = + post_action.created_at > SiteSetting.post_undo_action_window_mins.minutes.ago && + !post_action.post&.topic&.archived? + + # NOTE: This looks strange...but we are checking if someone is posting anonymously + # as a AnonymousUser model, _not_ as Guardian::AnonymousUser which is a different thing + # used when !authenticated? + if authenticated? && is_anonymous? + return( + ok_to_delete && SiteSetting.allow_anonymous_likes? && post_action.is_like? && + is_my_own?(post_action) + ) + end + + ok_to_delete end def can_receive_post_notifications?(post) diff --git a/spec/lib/guardian/post_guardian_spec.rb b/spec/lib/guardian/post_guardian_spec.rb index 9210b871a2a..9617c0355ef 100644 --- a/spec/lib/guardian/post_guardian_spec.rb +++ b/spec/lib/guardian/post_guardian_spec.rb @@ -2,7 +2,7 @@ RSpec.describe PostGuardian do fab!(:groupless_user) { Fabricate(:user) } - fab!(:user) + fab!(:user) { Fabricate(:user, refresh_auto_groups: true) } fab!(:anon) { Fabricate(:anonymous) } fab!(:admin) fab!(:moderator) @@ -11,6 +11,7 @@ RSpec.describe PostGuardian do fab!(:category) fab!(:topic) { Fabricate(:topic, category: category) } fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true) } + fab!(:post) { Fabricate(:post, topic: topic) } describe "#can_see_hidden_post?" do context "when the hidden_post_visible_groups contains everyone" do @@ -76,4 +77,25 @@ RSpec.describe PostGuardian do expect(Guardian.new(user).is_in_edit_post_groups?).to eq(false) end end + + describe "#can_edit_post?" do + it "returns true for the author" do + post.update!(user: user) + expect(Guardian.new(user).can_edit_post?(post)).to eq(true) + end + + it "returns false for users who are not the author" do + expect(Guardian.new(user).can_edit_post?(post)).to eq(false) + end + + it "returns true for admins who are not the author" do + expect(Guardian.new(admin).can_edit_post?(post)).to eq(true) + end + + it "returns true for the author if they are anonymous" do + SiteSetting.allow_anonymous_posting = true + post.update!(user: anon) + expect(Guardian.new(anon).can_edit_post?(post)).to eq(true) + end + end end diff --git a/spec/lib/guardian_spec.rb b/spec/lib/guardian_spec.rb index 4cc3f1a93e6..82d01611a53 100644 --- a/spec/lib/guardian_spec.rb +++ b/spec/lib/guardian_spec.rb @@ -2505,10 +2505,7 @@ RSpec.describe Guardian do end describe "#can_delete_post_action?" do - before do - SiteSetting.allow_anonymous_posting = true - Guardian.any_instance.stubs(:anonymous?).returns(true) - end + before { SiteSetting.allow_anonymous_posting = true } context "with allow_anonymous_likes enabled" do before { SiteSetting.allow_anonymous_likes = true }