additional checks on forum topic visibility

2016-11-04 16:24:54 -07:00
parent a22a7c3302
commit eb6746a8a8
9 changed files with 35 additions and 11 deletions
--- a/app/controllers/forum_posts_controller.rb
+++ b/app/controllers/forum_posts_controller.rb
@@ -5,7 +5,10 @@ class ForumPostsController < ApplicationController
  before_filter :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]

  def new
-    @forum_topic = ForumTopic.find(params[:topic_id]) if params[:topic_id]
+    if params[:topic_id]
+      @forum_topic = ForumTopic.find(params[:topic_id]) 
+      raise User::PrivilegeError.new unless @forum_topic.visible?(CurrentUser.user)
+    end
    @forum_post = ForumPost.new_reply(params)
    respond_with(@forum_post)
  end
--- a/app/models/forum_post.rb
+++ b/app/models/forum_post.rb
@@ -16,6 +16,7 @@ class ForumPost < ActiveRecord::Base
  validates_presence_of :body, :creator_id
  validate :validate_topic_is_unlocked
  validate :topic_id_not_invalid
+  validate :topic_is_not_restricted, :on => :create
  before_destroy :validate_topic_is_unlocked
  after_save :delete_topic_if_original_post
  mentionable(
@@ -144,8 +145,18 @@ class ForumPost < ActiveRecord::Base
    end
  end

+  def topic_is_not_restricted
+    if topic && !topic.visible?(creator)
+      errors.add(:topic, "restricted")
+    end
+  end
+
  def editable_by?(user)
-    creator_id == user.id || user.is_moderator?
+    (creator_id == user.id || user.is_moderator?) && visible?(user)
+  end
+
+  def visible?(user)
+    user.is_moderator? || (topic.visible?(user) && !is_deleted?)
  end

  def update_topic_updated_at_on_create
--- a/app/models/forum_topic.rb
+++ b/app/models/forum_topic.rb
@@ -142,7 +142,11 @@ class ForumTopic < ActiveRecord::Base
  include UserLevelMethods

  def editable_by?(user)
-    creator_id == user.id || user.is_moderator?
+    (creator_id == user.id || user.is_moderator?) && visible?(user)
+  end
+
+  def visible?(user)
+    user.level >= min_level
  end

  def initialize_is_deleted
--- a/app/views/forum_posts/_forum_post.html.erb
+++ b/app/views/forum_posts/_forum_post.html.erb
@@ -1,4 +1,4 @@
-<% if CurrentUser.is_moderator? || !forum_post.is_deleted? %>
+<% if forum_post.visible?(CurrentUser.user) %>
  <article class="forum-post" id="forum_post_<%= forum_post.id %>" data-forum-post-id="<%= forum_post.id %>" data-creator="<%= forum_post.creator.name %>">
    <div class="author">
      <h4>
--- a/app/views/forum_topics/show.html.erb
+++ b/app/views/forum_topics/show.html.erb
@@ -3,7 +3,7 @@
    <h1>
      Topic: <%= @forum_topic.title %>

-      <% if @forum_topic.min_level >= User::Levels::BUILDER %>
+      <% if @forum_topic.min_level >= User::Levels::MODERATOR %>
        <span class="level-topic">(<%= User.level_string(@forum_topic.min_level).downcase %>+ only)</span>
      <% end %>