FIX: Anon users could not edit their own posts (#26283)

Followup 3094f32ff5,
this fixes an issue with the logic in this commit where
we were returning false if any of the conditionals here
were false, regardless of the type of `obj`, where we should
have only done this if `obj` was a `PostAction`, which lead
us to return false in cases where we were checking if the
user could edit their own post as anon.
This commit is contained in:
Martin Brennan 2024-03-22 08:12:12 +10:00 committed by GitHub
parent 18a52c56cf
commit 61bd7d5d11
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 39 additions and 17 deletions

View File

@ -640,16 +640,6 @@ class Guardian
private
def is_my_own?(obj)
# NOTE: This looks strange...but we are checking if someone is posting anonymously
# as a AnonymousUser model, _not_ as Guardian::AnonymousUser which is a different thing
# used when !authenticated?
if authenticated? && is_anonymous?
return(
SiteSetting.allow_anonymous_likes? && obj.class == PostAction && obj.is_like? &&
obj.user_id == @user.id
)
end
return false if anonymous?
return obj.user_id == @user.id if obj.respond_to?(:user_id) && obj.user_id && @user.id
return obj.user == @user if obj.respond_to?(:user)

View File

@ -261,8 +261,21 @@ module PostGuardian
def can_delete_post_action?(post_action)
return false unless is_my_own?(post_action) && !post_action.is_private_message?
ok_to_delete =
post_action.created_at > SiteSetting.post_undo_action_window_mins.minutes.ago &&
!post_action.post&.topic&.archived?
# NOTE: This looks strange...but we are checking if someone is posting anonymously
# as a AnonymousUser model, _not_ as Guardian::AnonymousUser which is a different thing
# used when !authenticated?
if authenticated? && is_anonymous?
return(
ok_to_delete && SiteSetting.allow_anonymous_likes? && post_action.is_like? &&
is_my_own?(post_action)
)
end
ok_to_delete
end
def can_receive_post_notifications?(post)

View File

@ -2,7 +2,7 @@
RSpec.describe PostGuardian do
fab!(:groupless_user) { Fabricate(:user) }
fab!(:user)
fab!(:user) { Fabricate(:user, refresh_auto_groups: true) }
fab!(:anon) { Fabricate(:anonymous) }
fab!(:admin)
fab!(:moderator)
@ -11,6 +11,7 @@ RSpec.describe PostGuardian do
fab!(:category)
fab!(:topic) { Fabricate(:topic, category: category) }
fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true) }
fab!(:post) { Fabricate(:post, topic: topic) }
describe "#can_see_hidden_post?" do
context "when the hidden_post_visible_groups contains everyone" do
@ -76,4 +77,25 @@ RSpec.describe PostGuardian do
expect(Guardian.new(user).is_in_edit_post_groups?).to eq(false)
end
end
describe "#can_edit_post?" do
it "returns true for the author" do
post.update!(user: user)
expect(Guardian.new(user).can_edit_post?(post)).to eq(true)
end
it "returns false for users who are not the author" do
expect(Guardian.new(user).can_edit_post?(post)).to eq(false)
end
it "returns true for admins who are not the author" do
expect(Guardian.new(admin).can_edit_post?(post)).to eq(true)
end
it "returns true for the author if they are anonymous" do
SiteSetting.allow_anonymous_posting = true
post.update!(user: anon)
expect(Guardian.new(anon).can_edit_post?(post)).to eq(true)
end
end
end

View File

@ -2505,10 +2505,7 @@ RSpec.describe Guardian do
end
describe "#can_delete_post_action?" do
before do
SiteSetting.allow_anonymous_posting = true
Guardian.any_instance.stubs(:anonymous?).returns(true)
end
before { SiteSetting.allow_anonymous_posting = true }
context "with allow_anonymous_likes enabled" do
before { SiteSetting.allow_anonymous_likes = true }