discourse/spec/lib/guardian/post_guardian_spec.rb
Martin Brennan 61bd7d5d11
FIX: Anon users could not edit their own posts ()
Followup 3094f32ff5,
this fixes an issue with the logic in this commit where
we were returning false if any of the conditionals here
were false, regardless of the type of `obj`, where we should
have only done this if `obj` was a `PostAction`, which lead
us to return false in cases where we were checking if the
user could edit their own post as anon.
2024-03-22 08:12:12 +10:00

102 lines
3.6 KiB
Ruby

# frozen_string_literal: true
RSpec.describe PostGuardian do
fab!(:groupless_user) { Fabricate(:user) }
fab!(:user) { Fabricate(:user, refresh_auto_groups: true) }
fab!(:anon) { Fabricate(:anonymous) }
fab!(:admin)
fab!(:moderator)
fab!(:group)
fab!(:group_user) { Fabricate(:group_user, group: group, user: user) }
fab!(:category)
fab!(:topic) { Fabricate(:topic, category: category) }
fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true) }
fab!(:post) { Fabricate(:post, topic: topic) }
describe "#can_see_hidden_post?" do
context "when the hidden_post_visible_groups contains everyone" do
before { SiteSetting.hidden_post_visible_groups = "#{Group::AUTO_GROUPS[:everyone]}" }
it "returns true for everyone" do
expect(Guardian.new(anon).can_see_hidden_post?(hidden_post)).to eq(true)
expect(Guardian.new(user).can_see_hidden_post?(hidden_post)).to eq(true)
expect(Guardian.new(admin).can_see_hidden_post?(hidden_post)).to eq(true)
expect(Guardian.new(moderator).can_see_hidden_post?(hidden_post)).to eq(true)
end
end
context "when the post is a created by the user" do
fab!(:hidden_post) { Fabricate(:post, topic: topic, hidden: true, user: user) }
before { SiteSetting.hidden_post_visible_groups = "" }
it "returns true for the author" do
SiteSetting.hidden_post_visible_groups = ""
expect(Guardian.new(user).can_see_hidden_post?(hidden_post)).to eq(true)
end
end
context "when the post is a created by another user" do
before { SiteSetting.hidden_post_visible_groups = "14|#{group.id}" }
it "returns true for staff users" do
expect(Guardian.new(admin).can_see_hidden_post?(hidden_post)).to eq(true)
expect(Guardian.new(moderator).can_see_hidden_post?(hidden_post)).to eq(true)
end
it "returns false for anonymous users" do
expect(Guardian.new(anon).can_see_hidden_post?(hidden_post)).to eq(false)
end
it "returns true if the user is in hidden_post_visible_groups" do
expect(Guardian.new(user).can_see_hidden_post?(hidden_post)).to eq(true)
end
it "returns false if the user is not in hidden_post_visible_groups" do
expect(Guardian.new(groupless_user).can_see_hidden_post?(hidden_post)).to eq(false)
end
end
end
describe "#is_in_edit_post_groups?" do
it "returns true if the user is in edit_all_post_groups" do
SiteSetting.edit_all_post_groups = group.id.to_s
expect(Guardian.new(user).is_in_edit_post_groups?).to eq(true)
end
it "returns false if the user is not in edit_all_post_groups" do
SiteSetting.edit_all_post_groups = Group::AUTO_GROUPS[:trust_level_4]
expect(Guardian.new(Fabricate(:trust_level_3)).is_in_edit_post_groups?).to eq(false)
end
it "returns false if the edit_all_post_groups is empty" do
SiteSetting.edit_all_post_groups = nil
expect(Guardian.new(user).is_in_edit_post_groups?).to eq(false)
end
end
describe "#can_edit_post?" do
it "returns true for the author" do
post.update!(user: user)
expect(Guardian.new(user).can_edit_post?(post)).to eq(true)
end
it "returns false for users who are not the author" do
expect(Guardian.new(user).can_edit_post?(post)).to eq(false)
end
it "returns true for admins who are not the author" do
expect(Guardian.new(admin).can_edit_post?(post)).to eq(true)
end
it "returns true for the author if they are anonymous" do
SiteSetting.allow_anonymous_posting = true
post.update!(user: anon)
expect(Guardian.new(anon).can_edit_post?(post)).to eq(true)
end
end
end