additional checks on forum topic visibility

2016-11-04 16:24:54 -07:00
parent a22a7c3302
commit eb6746a8a8
9 changed files with 35 additions and 11 deletions
--- a/app/controllers/forum_posts_controller.rb
+++ b/app/controllers/forum_posts_controller.rb
@@ -5,7 +5,10 @@ class ForumPostsController < ApplicationController
  before_filter :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]

  def new
-    @forum_topic = ForumTopic.find(params[:topic_id]) if params[:topic_id]
+    if params[:topic_id]
+      @forum_topic = ForumTopic.find(params[:topic_id]) 
+      raise User::PrivilegeError.new unless @forum_topic.visible?(CurrentUser.user)
+    end
    @forum_post = ForumPost.new_reply(params)
    respond_with(@forum_post)
  end
--- a/app/models/forum_post.rb
+++ b/app/models/forum_post.rb
@@ -16,6 +16,7 @@ class ForumPost < ActiveRecord::Base
  validates_presence_of :body, :creator_id
  validate :validate_topic_is_unlocked
  validate :topic_id_not_invalid
+  validate :topic_is_not_restricted, :on => :create
  before_destroy :validate_topic_is_unlocked
  after_save :delete_topic_if_original_post
  mentionable(
@@ -144,8 +145,18 @@ class ForumPost < ActiveRecord::Base
    end
  end

+  def topic_is_not_restricted
+    if topic && !topic.visible?(creator)
+      errors.add(:topic, "restricted")
+    end
+  end
+
  def editable_by?(user)
-    creator_id == user.id || user.is_moderator?
+    (creator_id == user.id || user.is_moderator?) && visible?(user)
+  end
+
+  def visible?(user)
+    user.is_moderator? || (topic.visible?(user) && !is_deleted?)
  end

  def update_topic_updated_at_on_create
--- a/app/models/forum_topic.rb
+++ b/app/models/forum_topic.rb
@@ -142,7 +142,11 @@ class ForumTopic < ActiveRecord::Base
  include UserLevelMethods

  def editable_by?(user)
-    creator_id == user.id || user.is_moderator?
+    (creator_id == user.id || user.is_moderator?) && visible?(user)
+  end
+
+  def visible?(user)
+    user.level >= min_level
  end

  def initialize_is_deleted
--- a/app/views/forum_posts/_forum_post.html.erb
+++ b/app/views/forum_posts/_forum_post.html.erb
@@ -1,4 +1,4 @@
-<% if CurrentUser.is_moderator? || !forum_post.is_deleted? %>
+<% if forum_post.visible?(CurrentUser.user) %>
  <article class="forum-post" id="forum_post_<%= forum_post.id %>" data-forum-post-id="<%= forum_post.id %>" data-creator="<%= forum_post.creator.name %>">
    <div class="author">
      <h4>
--- a/app/views/forum_topics/show.html.erb
+++ b/app/views/forum_topics/show.html.erb
@@ -3,7 +3,7 @@
    <h1>
      Topic: <%= @forum_topic.title %>

-      <% if @forum_topic.min_level >= User::Levels::BUILDER %>
+      <% if @forum_topic.min_level >= User::Levels::MODERATOR %>
        <span class="level-topic">(<%= User.level_string(@forum_topic.min_level).downcase %>+ only)</span>
      <% end %>

--- a/test/functional/forum_posts_controller_test.rb
+++ b/test/functional/forum_posts_controller_test.rb
@@ -45,6 +45,7 @@ class ForumPostsControllerTest < ActionController::TestCase

      context "with private topics" do
        setup do
+          CurrentUser.user = @mod
          @mod_topic = FactoryGirl.create(:mod_up_forum_topic)
          @mod_posts = 2.times.map do
            FactoryGirl.create(:forum_post, :topic_id => @mod_topic.id)
@@ -53,6 +54,7 @@ class ForumPostsControllerTest < ActionController::TestCase
        end

        should "list only permitted posts for members" do
+          CurrentUser.user = @user
          get :index, {}, { :user_id => @user.id }

          assert_response :success
--- a/test/functional/forum_topics_controller_test.rb
+++ b/test/functional/forum_topics_controller_test.rb
@@ -18,7 +18,9 @@ class ForumTopicsControllerTest < ActionController::TestCase

    context "for a level restricted topic" do
      setup do
-        @forum_topic.update_attribute(:min_level, 50)
+        CurrentUser.user = @mod
+        @forum_topic.update_attribute(:min_level, User::Levels::MODERATOR)
+        CurrentUser.user = @user
      end

      should "not allow users to see the topic" do
@@ -42,7 +44,9 @@ class ForumTopicsControllerTest < ActionController::TestCase
        assert_equal(false, @gold_user.reload.has_forum_been_updated?)

        # Then adding an unread private topic should not bump.
-        FactoryGirl.create(:forum_post, :topic_id => @forum_topic.id)
+        CurrentUser.scoped(@mod) do
+          FactoryGirl.create(:forum_post, :topic_id => @forum_topic.id)
+        end
        assert_equal(false, @gold_user.reload.has_forum_been_updated?)
      end
    end
--- a/test/functional/maintenance/user/login_reminders_controller_test.rb
+++ b/test/functional/maintenance/user/login_reminders_controller_test.rb
@@ -34,7 +34,7 @@ module Maintenance
            post :create, {:user => {:email => ""}}
            assert_equal("Email address not found", flash[:notice])
            @blank_email_user.reload
-            assert_equal(@blank_email_user.created_at, @blank_email_user.updated_at)
+            assert_equal(@blank_email_user.created_at.to_i, @blank_email_user.updated_at.to_i)
            assert_equal(0, ActionMailer::Base.deliveries.size)
          end
        end
--- a/test/functional/wiki_pages_controller_test.rb
+++ b/test/functional/wiki_pages_controller_test.rb
@@ -73,9 +73,9 @@ class WikiPagesControllerTest < ActionController::TestCase
      end

      should "destroy a wiki_page" do
-        assert_difference("WikiPage.count", -1) do
-          post :destroy, {:id => @wiki_page.id}, {:user_id => @mod.id}
-        end
+        post :destroy, {:id => @wiki_page.id}, {:user_id => @mod.id}
+        @wiki_page.reload
+        assert_equal(true, @wiki_page.is_deleted?)
      end
    end