FIX: Don't show move topic for private messages for TL4 (#28871)

In TopicController, in addition to ensure_can_move_posts!, we also checked if the topic is private message in this line: ```ruby raise Discourse::InvalidAccess if params[:archetype] == "private_message" && !guardian.is_staff? ``` However, this was not present in `guardian.can_move_posts?`. As a result, the frontend topic view got an incorrect serialized result, thinking that TL4 could move the private message post. In fact, once they tried to move it, they got the `InvalidAccess` error message. This commit fixes that TL4 will no longer sees the "move to" option in the "select post" panel for a private message.
2024-11-25 09:42:07 +08:00 · 2024-09-16 11:30:05 +08:00 · 2024-09-16 11:30:05 +08:00 · 741e9d70ad
commit 741e9d70ad
parent 991227337a
3 changed files with 24 additions and 3 deletions
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -875,8 +875,6 @@ class TopicsController < ApplicationController
    params.permit(:chronological_order)
    params.permit(:archetype)

-    raise Discourse::InvalidAccess if params[:archetype] == "private_message" && !guardian.is_staff?
-
    topic = Topic.with_deleted.find_by(id: topic_id)
    guardian.ensure_can_move_posts!(topic)

--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@ -355,7 +355,9 @@ module TopicGuardian

  def can_move_posts?(topic)
    return false if is_silenced?
-    can_perform_action_available_to_group_moderators?(topic)
+    return false unless can_perform_action_available_to_group_moderators?(topic)
+    return false if topic.archetype == "private_message" && !is_staff?
+    true
  end

  def affected_by_slow_mode?(topic)
--- a/spec/lib/guardian_spec.rb
+++ b/spec/lib/guardian_spec.rb
@ -2288,6 +2288,27 @@ RSpec.describe Guardian do
        expect(Guardian.new(admin).can_move_posts?(topic)).to be_truthy
      end
    end
+
+    context "with a private message topic" do
+      fab!(:pm) { Fabricate(:private_message_topic) }
+
+      it "returns false when not logged in" do
+        expect(Guardian.new.can_move_posts?(pm)).to be_falsey
+      end
+
+      it "returns false when not a moderator" do
+        expect(Guardian.new(user).can_move_posts?(pm)).to be_falsey
+        expect(Guardian.new(trust_level_4).can_move_posts?(pm)).to be_falsey
+      end
+
+      it "returns true when a moderator" do
+        expect(Guardian.new(moderator).can_move_posts?(pm)).to be_truthy
+      end
+
+      it "returns true when an admin" do
+        expect(Guardian.new(admin).can_move_posts?(pm)).to be_truthy
+      end
+    end
  end

  describe "#can_delete?" do