From 62cbb766cd70dd43460b17aa271a2d32be893b4a Mon Sep 17 00:00:00 2001 From: Bianca Nenciu Date: Thu, 5 May 2022 09:54:10 +0300 Subject: [PATCH] FIX: Validate post's polls as acting user (#16638) It used to validate the post from the perspective of the user who created the post. That did not work well when an admin attempted to add a poll to a post created by a user who cannot create posts because it said the user cannot create polls. The problem was that it used post.user for the validation process instead of post.acting_user. --- plugins/poll/lib/post_validator.rb | 2 +- .../spec/controllers/posts_controller_spec.rb | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/plugins/poll/lib/post_validator.rb b/plugins/poll/lib/post_validator.rb index 788fe1e24bb..5d21f70a8cd 100644 --- a/plugins/poll/lib/post_validator.rb +++ b/plugins/poll/lib/post_validator.rb @@ -9,7 +9,7 @@ module DiscoursePoll def validate_post min_trust_level = SiteSetting.poll_minimum_trust_level_to_create - if @post&.user&.staff? || @post&.user&.trust_level >= TrustLevel[min_trust_level] || @post&.topic&.pm_with_non_human_user? + if (@post.acting_user && (@post.acting_user.staff? || @post.acting_user.trust_level >= TrustLevel[min_trust_level])) || @post.topic&.pm_with_non_human_user? true else @post.errors.add(:base, I18n.t("poll.insufficient_rights_to_create")) diff --git a/plugins/poll/spec/controllers/posts_controller_spec.rb b/plugins/poll/spec/controllers/posts_controller_spec.rb index ab0df1e6b22..5cc316a9b42 100644 --- a/plugins/poll/spec/controllers/posts_controller_spec.rb +++ b/plugins/poll/spec/controllers/posts_controller_spec.rb @@ -443,4 +443,28 @@ describe PostsController do expect(Poll.exists?(post_id: json["id"])).to eq(true) end end + + describe "staff editing posts of users with insufficient trust level" do + before do + SiteSetting.poll_minimum_trust_level_to_create = 2 + end + + it "validates the post" do + log_in_user(Fabricate(:user, trust_level: 1)) + + post :create, params: { title: title, raw: title }, format: :json + + expect(response.status).to eq(200) + post_id = response.parsed_body["id"] + + log_in_user(Fabricate(:admin)) + + put :update, params: { + id: post_id, post: { raw: "#{title}\n[poll]\n- A\n- B\n- C\n[/poll]" } + }, format: :json + + expect(response.status).to eq(200) + expect(response.parsed_body["post"]["polls"][0]["options"][2]["html"]).to eq("C") + end + end end