FIX: Guardian#can_remove_allowed_users? shouldn't break for ownerless topics

A topic can outlive its original author. TopicGuardian should still work in this situation.
2025-02-17 07:23:15 +08:00 · 2020-06-19 10:04:05 +01:00 · 2020-06-19 10:04:05 +01:00 · 9cf77372a2
commit 9cf77372a2
parent 3e161e372a
2 changed files with 16 additions and 1 deletions
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@ -5,7 +5,7 @@ module TopicGuardian

  def can_remove_allowed_users?(topic, target_user = nil)
    is_staff? ||
-    (topic.user == user && user.has_trust_level?(TrustLevel[2])) ||
+    (topic.user == @user && @user.has_trust_level?(TrustLevel[2])) ||
    (
      topic.allowed_users.count > 1 &&
      topic.user != target_user &&
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -3503,6 +3503,21 @@ describe Guardian do
        end
      end
    end
+
+    context "anonymous users" do
+      fab!(:topic) { Fabricate(:topic) }
+
+      it 'should be false' do
+        expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
+      end
+
+      it 'should be false when the topic does not have a user (for example because the user was removed)' do
+        DB.exec("UPDATE topics SET user_id=NULL WHERE id=#{topic.id}")
+        topic.reload
+
+        expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
+      end
+    end
  end

  describe '#auth_token' do