github-mirror/framework
github-mirror/framework
2
0
Fork 0
mirror of https://github.com/flarum/framework.git synced 2025-03-03 11:47:23 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Make "own" permissions depend on the user's ability to reply

Browse Source 
Permission to rename/hide/edit one's own discussion/post is only granted
if the user has permission to reply to the discussion. This makes sense
if you think of these actions as forms of "replying" to a discussion.

Fixes #1419 because suspended users do not have permission to reply to
discussions, therefore they will not be granted these "own" permissions.
This commit is contained in:
Toby Zerner 2018-07-20 10:53:24 +09:30
parent 9fabcff497
commit 698436e7b0
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
framework/core/src/Discussion/DiscussionPolicy.php
View File

@ -123,7 +123,7 @@ class DiscussionPolicy extends AbstractPolicy
*/ */
public function rename(User $actor, Discussion $discussion) public function rename(User $actor, Discussion $discussion)
{ {
if ($discussion->user_id == $actor->id) { if ($discussion->user_id == $actor->id && $actor->can('reply', $discussion)) {
$allowRenaming = $this->settings->get('allow_renaming'); $allowRenaming = $this->settings->get('allow_renaming');
if ($allowRenaming === '-1' if ($allowRenaming === '-1'
@ -141,7 +141,7 @@ class DiscussionPolicy extends AbstractPolicy
*/ */
public function hide(User $actor, Discussion $discussion) public function hide(User $actor, Discussion $discussion)
{ {
if ($discussion->user_id == $actor->id && $discussion->participant_count <= 1) { if ($discussion->user_id == $actor->id && $discussion->participant_count <= 1 && $actor->can('reply', $discussion)) {
return true; return true;
} }
} }

2
framework/core/src/Post/PostPolicy.php
View File

@ -107,7 +107,7 @@ class PostPolicy extends AbstractPolicy
// A post is allowed to be edited if the user has permission to moderate // A post is allowed to be edited if the user has permission to moderate
// the discussion which it's in, or if they are the author and the post // the discussion which it's in, or if they are the author and the post
// hasn't been deleted by someone else. // hasn't been deleted by someone else.
if ($post->user_id == $actor->id && (! $post->hidden_at || $post->hidden_user_id == $actor->id)) { if ($post->user_id == $actor->id && (! $post->hidden_at || $post->hidden_user_id == $actor->id) && $actor->can('reply', $post->discussion)) {
$allowEditing = $this->settings->get('allow_post_editing'); $allowEditing = $this->settings->get('allow_post_editing');
if ($allowEditing === '-1' if ($allowEditing === '-1'