From 698436e7b08c5acf26db1a095508b3b8f0c217bf Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Fri, 20 Jul 2018 10:53:24 +0930
Subject: [PATCH] Make "own" permissions depend on the user's ability to reply

Permission to rename/hide/edit one's own discussion/post is only granted
if the user has permission to reply to the discussion. This makes sense
if you think of these actions as forms of "replying" to a discussion.

Fixes #1419 because suspended users do not have permission to reply to
discussions, therefore they will not be granted these "own" permissions.
---
 framework/core/src/Discussion/DiscussionPolicy.php | 4 ++--
 framework/core/src/Post/PostPolicy.php             | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/framework/core/src/Discussion/DiscussionPolicy.php b/framework/core/src/Discussion/DiscussionPolicy.php
index b0d462f80..5fcbd77aa 100644
--- a/framework/core/src/Discussion/DiscussionPolicy.php
+++ b/framework/core/src/Discussion/DiscussionPolicy.php
@@ -123,7 +123,7 @@ class DiscussionPolicy extends AbstractPolicy
      */
     public function rename(User $actor, Discussion $discussion)
     {
-        if ($discussion->user_id == $actor->id) {
+        if ($discussion->user_id == $actor->id && $actor->can('reply', $discussion)) {
             $allowRenaming = $this->settings->get('allow_renaming');
 
             if ($allowRenaming === '-1'
@@ -141,7 +141,7 @@ class DiscussionPolicy extends AbstractPolicy
      */
     public function hide(User $actor, Discussion $discussion)
     {
-        if ($discussion->user_id == $actor->id && $discussion->participant_count <= 1) {
+        if ($discussion->user_id == $actor->id && $discussion->participant_count <= 1 && $actor->can('reply', $discussion)) {
             return true;
         }
     }
diff --git a/framework/core/src/Post/PostPolicy.php b/framework/core/src/Post/PostPolicy.php
index 0ed52e9d1..b3ea4076e 100644
--- a/framework/core/src/Post/PostPolicy.php
+++ b/framework/core/src/Post/PostPolicy.php
@@ -107,7 +107,7 @@ class PostPolicy extends AbstractPolicy
         // A post is allowed to be edited if the user has permission to moderate
         // the discussion which it's in, or if they are the author and the post
         // hasn't been deleted by someone else.
-        if ($post->user_id == $actor->id && (! $post->hidden_at || $post->hidden_user_id == $actor->id)) {
+        if ($post->user_id == $actor->id && (! $post->hidden_at || $post->hidden_user_id == $actor->id) && $actor->can('reply', $post->discussion)) {
             $allowEditing = $this->settings->get('allow_post_editing');
 
             if ($allowEditing === '-1'