Only check for bypassTagCounts permission for startDiscussion ability (#130)

This doesn't fix anything, but we should explicitly only check the permission for the ability it is meant for, just to be safe in the future. Also add more tests.
2024-11-29 21:11:55 +08:00 · 2021-05-11 21:35:10 +01:00 · 2021-05-11 21:35:10 +01:00 · fffedb4e1d
commit fffedb4e1d
parent a0f9416f90
4 changed files with 115 additions and 5 deletions
--- a/extensions/tags/composer.json
+++ b/extensions/tags/composer.json
@ -61,7 +61,7 @@
        "test:setup": "Sets up a database for use with integration tests. Execute this only once."
    },
    "require-dev": {
-        "flarum/core": "0.1.x-dev",
+        "flarum/core": "0.1.x-dev#b2d053f6865e685ebf005e457d970385377bbb28",
        "flarum/testing": "*@dev"
    }
 }
--- a/extensions/tags/src/Access/GlobalPolicy.php
+++ b/extensions/tags/src/Access/GlobalPolicy.php
@ -36,11 +36,13 @@ class GlobalPolicy extends AbstractPolicy
        static $enoughPrimary;
        static $enoughSecondary;

-        if (in_array($ability, ['viewDiscussions', 'startDiscussion'])) {
-            if ($actor->hasPermission($ability) && $actor->hasPermission('bypassTagCounts')) {
-                return $this->allow();
-            }
+        if ($ability === 'startDiscussion'
+            && $actor->hasPermission($ability)
+            && $actor->hasPermission('bypassTagCounts')) {
+            return $this->allow();
+        }

+        if (in_array($ability, ['viewDiscussions', 'startDiscussion'])) {
            if (! isset($enoughPrimary[$actor->id][$ability])) {
                $enoughPrimary[$actor->id][$ability] = Tag::whereHasPermission($actor, $ability)
                    ->where('tags.position', '!=', null)
--- a/extensions/tags/tests/integration/api/discussions/CreateTest.php
+++ b/extensions/tags/tests/integration/api/discussions/CreateTest.php
@ -87,6 +87,34 @@ class CreateTest extends TestCase
        $this->assertEquals(422, $response->getStatusCode());
    }

+    /**
+     * @test
+     */
+    public function user_can_create_discussion_without_tags_if_bypass_permission_granted()
+    {
+        $this->prepareDatabase([
+            'group_permission' => [
+                ['group_id' => Group::MEMBER_ID, 'permission' => 'bypassTagCounts'],
+            ]
+        ]);
+
+        $response = $this->send(
+            $this->request('POST', '/api/discussions', [
+                'authenticatedAs' => 2,
+                'json' => [
+                    'data' => [
+                        'attributes' => [
+                            'title' => 'test - too-obscure',
+                            'content' => 'predetermined content for automated testing - too-obscure',
+                        ],
+                    ]
+                ],
+            ])
+        );
+
+        $this->assertEquals(201, $response->getStatusCode());
+    }
+
    /**
     * @test
     */
@ -145,6 +173,41 @@ class CreateTest extends TestCase
        $this->assertEquals(403, $response->getStatusCode());
    }

+    /**
+     * @test
+     */
+    public function user_cant_create_discussion_in_primary_tag_where_can_view_but_cant_start_with_bypass_permission_granted()
+    {
+        $this->prepareDatabase([
+            'group_permission' => [
+                ['group_id' => Group::MEMBER_ID, 'permission' => 'bypassTagCounts'],
+            ]
+        ]);
+
+        $response = $this->send(
+            $this->request('POST', '/api/discussions', [
+                'authenticatedAs' => 2,
+                'json' => [
+                    'data' => [
+                        'attributes' => [
+                            'title' => 'test - too-obscure',
+                            'content' => 'predetermined content for automated testing - too-obscure',
+                        ],
+                        'relationships' => [
+                            'tags' => [
+                                'data' => [
+                                    ['type' => 'tags', 'id' => 5]
+                                ]
+                            ]
+                        ]
+                    ],
+                ],
+            ])
+        );
+
+        $this->assertEquals(403, $response->getStatusCode());
+    }
+
    /**
     * @test
     */
--- a/extensions/tags/tests/integration/authorization/GlobalPolicyTest.php
+++ b/extensions/tags/tests/integration/authorization/GlobalPolicyTest.php
@ -113,4 +113,49 @@ class GlobalPolicyTest extends TestCase

        $this->assertTrue(User::find(2)->can('startDiscussion'));
    }
+
+    /**
+     * @test
+     */
+    public function cant_start_discussion_globally_if_permission_in_insufficient_tags_requires_start_discussion_regardless_of_bypass()
+    {
+        $this->prepareDatabase([
+            'group_permission' => [
+                ['group_id' => Group::MEMBER_ID, 'permission' => 'bypassTagCounts'],
+            ]
+        ]);
+
+        $this->database()->table('group_permission')->where('permission', 'startDiscussion')->delete();
+
+        $this->assertFalse(User::find(2)->can('startDiscussion'));
+    }
+
+    /**
+     * @test
+     */
+    public function can_start_discussion_globally_if_start_discussion_and_bypass_allows_regardless_of_tag_count()
+    {
+        $this->prepareDatabase([
+            'group_permission' => [
+                ['group_id' => Group::MEMBER_ID, 'permission' => 'bypassTagCounts'],
+            ]
+        ]);
+
+        $this->app();
+
+        $this->assertTrue(User::find(2)->can('startDiscussion'));
+    }
+
+    /**
+     * @test
+     */
+    public function can_start_discussion_globally_if_sufficient_tags_and_allows_regardless_of_start_discussion_and_bypass()
+    {
+        $this->database()->table('group_permission')->where('permission', 'bypassTagCounts')->delete();
+
+        $this->setting('flarum-tags.min_primary_tags', 0);
+        $this->setting('flarum-tags.min_secondary_tags', 1);
+
+        $this->assertTrue(User::find(2)->can('startDiscussion'));
+    }
 }