mirror of
https://github.com/discourse/discourse.git
synced 2024-11-25 20:16:19 +08:00
FIX: Anon users could not edit their own posts (#26283)
Followup 3094f32ff5
,
this fixes an issue with the logic in this commit where
we were returning false if any of the conditionals here
were false, regardless of the type of `obj`, where we should
have only done this if `obj` was a `PostAction`, which lead
us to return false in cases where we were checking if the
user could edit their own post as anon.
This commit is contained in:
parent
18a52c56cf
commit
61bd7d5d11
|
@ -640,16 +640,6 @@ class Guardian
|
|||
private
|
||||
|
||||
def is_my_own?(obj)
|
||||
# NOTE: This looks strange...but we are checking if someone is posting anonymously
|
||||
# as a AnonymousUser model, _not_ as Guardian::AnonymousUser which is a different thing
|
||||
# used when !authenticated?
|
||||
if authenticated? && is_anonymous?
|
||||
return(
|
||||
SiteSetting.allow_anonymous_likes? && obj.class == PostAction && obj.is_like? &&
|
||||
obj.user_id == @user.id
|
||||
)
|
||||
end
|
||||
|
||||
return false if anonymous?
|
||||
return obj.user_id == @user.id if obj.respond_to?(:user_id) && obj.user_id && @user.id
|
||||
return obj.user == @user if obj.respond_to?(:user)
|
||||
|
|
|
@ -261,8 +261,21 @@ module PostGuardian
|
|||
def can_delete_post_action?(post_action)
|
||||
return false unless is_my_own?(post_action) && !post_action.is_private_message?
|
||||
|
||||
ok_to_delete =
|
||||
post_action.created_at > SiteSetting.post_undo_action_window_mins.minutes.ago &&
|
||||
!post_action.post&.topic&.archived?
|
||||
|
||||
# NOTE: This looks strange...but we are checking if someone is posting anonymously
|
||||
# as a AnonymousUser model, _not_ as Guardian::AnonymousUser which is a different thing
|
||||
# used when !authenticated?
|
||||
if authenticated? && is_anonymous?
|
||||
return(
|
||||
ok_to_delete && SiteSetting.allow_anonymous_likes? && post_action.is_like? &&
|
||||
is_my_own?(post_action)
|
||||
)
|
||||
end
|
||||
|
||||
ok_to_delete
|
||||
end
|
||||
|
||||
def can_receive_post_notifications?(post)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
RSpec.describe PostGuardian do
|
||||
fab!(:groupless_user) { Fabricate(:user) }
|
||||
fab!(:user)
|
||||
fab!(:user) { Fabricate(:user, refresh_auto_groups: true) }
|
||||
fab!(:anon) { Fabricate(:anonymous) }
|
||||
fab!(:admin)
|
||||
fab!(:moderator)
|
||||
|
@ -11,6 +11,7 @@ RSpec.describe PostGuardian do
|
|||
fab!(:category)
|
||||
fab!(:topic) { Fabricate(:topic, category: category) }
|
||||
fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true) }
|
||||
fab!(:post) { Fabricate(:post, topic: topic) }
|
||||
|
||||
describe "#can_see_hidden_post?" do
|
||||
context "when the hidden_post_visible_groups contains everyone" do
|
||||
|
@ -76,4 +77,25 @@ RSpec.describe PostGuardian do
|
|||
expect(Guardian.new(user).is_in_edit_post_groups?).to eq(false)
|
||||
end
|
||||
end
|
||||
|
||||
describe "#can_edit_post?" do
|
||||
it "returns true for the author" do
|
||||
post.update!(user: user)
|
||||
expect(Guardian.new(user).can_edit_post?(post)).to eq(true)
|
||||
end
|
||||
|
||||
it "returns false for users who are not the author" do
|
||||
expect(Guardian.new(user).can_edit_post?(post)).to eq(false)
|
||||
end
|
||||
|
||||
it "returns true for admins who are not the author" do
|
||||
expect(Guardian.new(admin).can_edit_post?(post)).to eq(true)
|
||||
end
|
||||
|
||||
it "returns true for the author if they are anonymous" do
|
||||
SiteSetting.allow_anonymous_posting = true
|
||||
post.update!(user: anon)
|
||||
expect(Guardian.new(anon).can_edit_post?(post)).to eq(true)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -2505,10 +2505,7 @@ RSpec.describe Guardian do
|
|||
end
|
||||
|
||||
describe "#can_delete_post_action?" do
|
||||
before do
|
||||
SiteSetting.allow_anonymous_posting = true
|
||||
Guardian.any_instance.stubs(:anonymous?).returns(true)
|
||||
end
|
||||
before { SiteSetting.allow_anonymous_posting = true }
|
||||
|
||||
context "with allow_anonymous_likes enabled" do
|
||||
before { SiteSetting.allow_anonymous_likes = true }
|
||||
|
|
Loading…
Reference in New Issue
Block a user