github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-25 09:42:07 +08:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

FIX: staff should not be able to PM groups that "Nobody" can message (#16163)

Browse Source 
If a group's messageable_level is set to nobody then staff can't should not be able to send PMs to it.

Co-authored-by: Martin Brennan <martin@discourse.org>
This commit is contained in:
Vinoth Kannan 2022-03-22 05:53:14 +05:30 committed by GitHub
parent 31bc756037
commit 8a9a7a77d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/guardian.rb
View File

@ -47,6 +47,9 @@ class Guardian
def silenced? def silenced?
false false
end end
def is_system_user?
false
end
def secure_category_ids def secure_category_ids
[] []
end end
@ -422,6 +425,7 @@ class Guardian
def can_send_private_message?(target, notify_moderators: false) def can_send_private_message?(target, notify_moderators: false)
is_user = target.is_a?(User) is_user = target.is_a?(User)
is_group = target.is_a?(Group) is_group = target.is_a?(Group)
from_system = @user.is_system_user?
(is_group || is_user) && (is_group || is_user) &&
# User is authenticated # User is authenticated
@ -435,7 +439,7 @@ class Guardian
# Can't send PMs to suspended users # Can't send PMs to suspended users
(is_staff? || is_group || !target.suspended?) && (is_staff? || is_group || !target.suspended?) &&
# Check group messageable level # Check group messageable level
(is_staff? || is_user || Group.messageable(@user).where(id: target.id).exists? || notify_moderators) && (from_system || is_user || Group.messageable(@user).where(id: target.id).exists? || notify_moderators) &&
# Silenced users can only send PM to staff # Silenced users can only send PM to staff
(!is_silenced? || target.staff?) (!is_silenced? || target.staff?)
end end

13
spec/lib/guardian_spec.rb
View File

@ -336,14 +336,13 @@ describe Guardian do
it "respects the group's messageable_level" do it "respects the group's messageable_level" do
Group::ALIAS_LEVELS.each do |level, _| Group::ALIAS_LEVELS.each do |level, _|
group.update!(messageable_level: Group::ALIAS_LEVELS[level]) group.update!(messageable_level: Group::ALIAS_LEVELS[level])
output = level == :everyone ? true : false user_output = level == :everyone ? true : false
admin_output = level != :nobody
mod_output = [:nobody, :only_admins].exclude?(level)
expect(Guardian.new(user).can_send_private_message?(group)).to eq(output) expect(Guardian.new(user).can_send_private_message?(group)).to eq(user_output)
end expect(Guardian.new(admin).can_send_private_message?(group)).to eq(admin_output)
expect(Guardian.new(moderator).can_send_private_message?(group)).to eq(mod_output)
Group::ALIAS_LEVELS.each do |level, _|
group.update!(messageable_level: Group::ALIAS_LEVELS[level])
expect(Guardian.new(admin).can_send_private_message?(group)).to eq(true)
end end
end end

2
spec/lib/topic_query_spec.rb
View File

@ -1079,7 +1079,7 @@ describe TopicQuery do
end end
let(:group_with_user) do let(:group_with_user) do
group = Fabricate(:group) group = Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone])
group.add(user) group.add(user)
group.save group.save
group group