Merge pull request #3394 from BrokenEagle/fix-deleted-pools-editable

Add additional restrictions on updating deleted pools

app/controllers/pools_controller.rb

@@ -10,6 +10,9 @@ class PoolsController < ApplicationController
 
   def edit
     @pool = Pool.find(params[:id])
+    if @pool.is_deleted && !@pool.deletable_by?(CurrentUser.user)
+      raise User::PrivilegeError
+    end
     respond_with(@pool)
   end
 

app/models/pool.rb

@@ -8,6 +8,7 @@ class Pool < ApplicationRecord
   validates_inclusion_of :category, :in => %w(series collection)
   validate :updater_can_change_category
   validate :updater_can_remove_posts
+  validate :updater_can_edit_deleted
   belongs_to :creator, :class_name => "User"
   belongs_to :updater, :class_name => "User"
   before_validation :normalize_post_ids
@@ -211,6 +212,15 @@ class Pool < ApplicationRecord
     user.is_builder?
   end
 
+  def updater_can_edit_deleted
+    if is_deleted? && !deletable_by?(CurrentUser.user)
+      errors[:base] << "You cannot update pools that are deleted"
+      false
+    else
+      true
+    end
+  end
+
   def create_mod_action_for_delete
     ModAction.log("deleted pool ##{id} (name: #{name})")
   end