FIX: Don't enqueue topics if the user can't create them

Co-authored-by: Vinoth Kannan <vinothkannan@vinkas.com>
2024-11-25 09:42:07 +08:00 · 2018-11-09 18:24:28 +01:00 · 2018-11-09 18:24:28 +01:00 · 6b51d84dc5
commit 6b51d84dc5
parent 00ad6e8e37
4 changed files with 30 additions and 5 deletions
--- a/lib/email/receiver.rb
+++ b/lib/email/receiver.rb
@ -994,6 +994,7 @@ module Email
         end
        raise TooShortPost
      end
+
      raise InvalidPost, errors.join("\n") if result.errors.any?

      if result.post
--- a/lib/new_post_manager.rb
+++ b/lib/new_post_manager.rb
@ -104,14 +104,12 @@ class NewPostManager
      post = Post.new(raw: manager.args[:raw])
      post.user = manager.user
      validator.validate(post)
+
      if post.errors[:raw].present?
        result = NewPostResult.new(:created_post, false)
        result.errors[:base] << post.errors[:raw]
        return result
-      end
-
-      # Can the user create the post in the first place?
-      if manager.args[:topic_id]
+      elsif manager.args[:topic_id]
        topic = Topic.unscoped.where(id: manager.args[:topic_id]).first

        unless manager.user.guardian.can_create_post_on_topic?(topic)
@ -119,6 +117,14 @@ class NewPostManager
          result.errors[:base] << I18n.t(:topic_not_found)
          return result
        end
+      elsif manager.args[:category]
+        category = Category.find_by(id: manager.args[:category])
+
+        unless manager.user.guardian.can_create_topic_on_category?(category)
+          result = NewPostResult.new(:created_post, false)
+          result.errors[:base] << I18n.t("js.errors.reasons.forbidden")
+          return result
+        end
      end

      result = manager.enqueue('default')
--- a/spec/components/email/receiver_spec.rb
+++ b/spec/components/email/receiver_spec.rb
@ -825,7 +825,7 @@ describe Email::Receiver do

      Group.refresh_automatic_group!(:trust_level_4)

-      expect { process(:tl3_user) }.to_not change(Topic, :count)
+      expect { process(:tl3_user) }.to raise_error(Email::Receiver::InvalidPost)
      expect { process(:tl4_user) }.to change(Topic, :count)
    end

--- a/spec/components/new_post_manager_spec.rb
+++ b/spec/components/new_post_manager_spec.rb
@ -104,6 +104,24 @@ describe NewPostManager do
      end
    end

+    context 'with a high approval post count and secure category' do
+      it 'does not create topic' do
+        SiteSetting.approve_post_count = 100
+        user = Fabricate(:user)
+        category_group = Fabricate(:category_group, permission_type: 2)
+        group_user = Fabricate(:group_user, group: category_group.group, user_id: user.id)
+
+        manager = NewPostManager.new(
+          user,
+          raw: 'this is a new topic',
+          title: "Let's start a new topic!",
+          category: category_group.category_id
+        )
+
+        expect(manager.perform.errors["base"][0]).to eq(I18n.t("js.errors.reasons.forbidden"))
+      end
+    end
+
    context 'with a high trust level setting' do
      before do
        SiteSetting.approve_unless_trust_level = 4