mirror of
https://github.com/discourse/discourse.git
synced 2024-11-25 09:42:07 +08:00
FIX: Validate post's polls as acting user (#16638)
It used to validate the post from the perspective of the user who created the post. That did not work well when an admin attempted to add a poll to a post created by a user who cannot create posts because it said the user cannot create polls. The problem was that it used post.user for the validation process instead of post.acting_user.
This commit is contained in:
parent
b35cf7cc0c
commit
62cbb766cd
|
@ -9,7 +9,7 @@ module DiscoursePoll
|
|||
def validate_post
|
||||
min_trust_level = SiteSetting.poll_minimum_trust_level_to_create
|
||||
|
||||
if @post&.user&.staff? || @post&.user&.trust_level >= TrustLevel[min_trust_level] || @post&.topic&.pm_with_non_human_user?
|
||||
if (@post.acting_user && (@post.acting_user.staff? || @post.acting_user.trust_level >= TrustLevel[min_trust_level])) || @post.topic&.pm_with_non_human_user?
|
||||
true
|
||||
else
|
||||
@post.errors.add(:base, I18n.t("poll.insufficient_rights_to_create"))
|
||||
|
|
|
@ -443,4 +443,28 @@ describe PostsController do
|
|||
expect(Poll.exists?(post_id: json["id"])).to eq(true)
|
||||
end
|
||||
end
|
||||
|
||||
describe "staff editing posts of users with insufficient trust level" do
|
||||
before do
|
||||
SiteSetting.poll_minimum_trust_level_to_create = 2
|
||||
end
|
||||
|
||||
it "validates the post" do
|
||||
log_in_user(Fabricate(:user, trust_level: 1))
|
||||
|
||||
post :create, params: { title: title, raw: title }, format: :json
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
post_id = response.parsed_body["id"]
|
||||
|
||||
log_in_user(Fabricate(:admin))
|
||||
|
||||
put :update, params: {
|
||||
id: post_id, post: { raw: "#{title}\n[poll]\n- A\n- B\n- C\n[/poll]" }
|
||||
}, format: :json
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
expect(response.parsed_body["post"]["polls"][0]["options"][2]["html"]).to eq("C")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user