additional checks on forum topic visibility

app/controllers/forum_posts_controller.rb

@@ -5,7 +5,10 @@ class ForumPostsController < ApplicationController
   before_filter :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]
 
   def new
-    @forum_topic = ForumTopic.find(params[:topic_id]) if params[:topic_id]
+    if params[:topic_id]
+      @forum_topic = ForumTopic.find(params[:topic_id]) 
+      raise User::PrivilegeError.new unless @forum_topic.visible?(CurrentUser.user)
+    end
     @forum_post = ForumPost.new_reply(params)
     respond_with(@forum_post)
   end

app/models/forum_post.rb

@@ -16,6 +16,7 @@ class ForumPost < ActiveRecord::Base
   validates_presence_of :body, :creator_id
   validate :validate_topic_is_unlocked
   validate :topic_id_not_invalid
+  validate :topic_is_not_restricted, :on => :create
   before_destroy :validate_topic_is_unlocked
   after_save :delete_topic_if_original_post
   mentionable(
@@ -144,8 +145,18 @@ class ForumPost < ActiveRecord::Base
     end
   end
 
+  def topic_is_not_restricted
+    if topic && !topic.visible?(creator)
+      errors.add(:topic, "restricted")
+    end
+  end
+
   def editable_by?(user)
-    creator_id == user.id || user.is_moderator?
+    (creator_id == user.id || user.is_moderator?) && visible?(user)
+  end
+
+  def visible?(user)
+    user.is_moderator? || (topic.visible?(user) && !is_deleted?)
   end
 
   def update_topic_updated_at_on_create

app/models/forum_topic.rb

@@ -142,7 +142,11 @@ class ForumTopic < ActiveRecord::Base
   include UserLevelMethods
 
   def editable_by?(user)
-    creator_id == user.id || user.is_moderator?
+    (creator_id == user.id || user.is_moderator?) && visible?(user)
+  end
+
+  def visible?(user)
+    user.level >= min_level
   end
 
   def initialize_is_deleted

app/views/forum_posts/_forum_post.html.erb

@@ -1,4 +1,4 @@
-<% if CurrentUser.is_moderator? || !forum_post.is_deleted? %>
+<% if forum_post.visible?(CurrentUser.user) %>
   <article class="forum-post" id="forum_post_<%= forum_post.id %>" data-forum-post-id="<%= forum_post.id %>" data-creator="<%= forum_post.creator.name %>">
     <div class="author">
       <h4>

app/views/forum_topics/show.html.erb

@@ -3,7 +3,7 @@
     <h1>
       Topic: <%= @forum_topic.title %>
 
-      <% if @forum_topic.min_level >= User::Levels::BUILDER %>
+      <% if @forum_topic.min_level >= User::Levels::MODERATOR %>
         <span class="level-topic">(<%= User.level_string(@forum_topic.min_level).downcase %>+ only)</span>
       <% end %>
 

test/functional/forum_posts_controller_test.rb

@@ -45,6 +45,7 @@ class ForumPostsControllerTest < ActionController::TestCase
 
       context "with private topics" do
         setup do
+          CurrentUser.user = @mod
           @mod_topic = FactoryGirl.create(:mod_up_forum_topic)
           @mod_posts = 2.times.map do
             FactoryGirl.create(:forum_post, :topic_id => @mod_topic.id)
@@ -53,6 +54,7 @@ class ForumPostsControllerTest < ActionController::TestCase
         end
 
         should "list only permitted posts for members" do
+          CurrentUser.user = @user
           get :index, {}, { :user_id => @user.id }
 
           assert_response :success

test/functional/forum_topics_controller_test.rb

@@ -18,7 +18,9 @@ class ForumTopicsControllerTest < ActionController::TestCase
 
     context "for a level restricted topic" do
       setup do
-        @forum_topic.update_attribute(:min_level, 50)
+        CurrentUser.user = @mod
+        @forum_topic.update_attribute(:min_level, User::Levels::MODERATOR)
+        CurrentUser.user = @user
       end
 
       should "not allow users to see the topic" do
@@ -42,7 +44,9 @@ class ForumTopicsControllerTest < ActionController::TestCase
         assert_equal(false, @gold_user.reload.has_forum_been_updated?)
 
         # Then adding an unread private topic should not bump.
-        FactoryGirl.create(:forum_post, :topic_id => @forum_topic.id)
+        CurrentUser.scoped(@mod) do
+          FactoryGirl.create(:forum_post, :topic_id => @forum_topic.id)
+        end
         assert_equal(false, @gold_user.reload.has_forum_been_updated?)
       end
     end

test/functional/maintenance/user/login_reminders_controller_test.rb

@@ -34,7 +34,7 @@ module Maintenance
             post :create, {:user => {:email => ""}}
             assert_equal("Email address not found", flash[:notice])
             @blank_email_user.reload
-            assert_equal(@blank_email_user.created_at, @blank_email_user.updated_at)
+            assert_equal(@blank_email_user.created_at.to_i, @blank_email_user.updated_at.to_i)
             assert_equal(0, ActionMailer::Base.deliveries.size)
           end
         end

test/functional/wiki_pages_controller_test.rb

@@ -73,9 +73,9 @@ class WikiPagesControllerTest < ActionController::TestCase
       end
 
       should "destroy a wiki_page" do
-        assert_difference("WikiPage.count", -1) do
+        post :destroy, {:id => @wiki_page.id}, {:user_id => @mod.id}
-          post :destroy, {:id => @wiki_page.id}, {:user_id => @mod.id}
+        @wiki_page.reload
-        end
+        assert_equal(true, @wiki_page.is_deleted?)
       end
     end