Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-09-06 10:50:21 +08:00
Code Packages Activity Actions 9

FIX: you should always be allowed to see actions you created

Browse source
This commit is contained in:
Sam 2017-06-02 14:23:56 -04:00
parent 007873af3c
commit b4060778d9
2 changed files with 29 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

9
app/controllers/post_action_users_controller.rb
View file

@ -11,12 +11,19 @@ class PostActionUsersController < ApplicationController
post = finder.first post = finder.first
guardian.ensure_can_see!(post) guardian.ensure_can_see!(post)
guardian.ensure_can_see_post_actors!(post.topic, post_action_type_id)
post_actions = post.post_actions.where(post_action_type_id: post_action_type_id) post_actions = post.post_actions.where(post_action_type_id: post_action_type_id)
.includes(:user) .includes(:user)
.order('post_actions.created_at asc') .order('post_actions.created_at asc')
if !guardian.can_see_post_actors?(post.topic, post_action_type_id)
if !current_user
raise Discourse::InvalidAccess
end
post_actions = post_actions.where(user_id: current_user.id)
end
render_serialized(post_actions.to_a, PostActionUserSerializer, root: 'post_action_users') render_serialized(post_actions.to_a, PostActionUserSerializer, root: 'post_action_users')
end end
end end

25
spec/controllers/post_action_users_controller_spec.rb
View file

@ -1,7 +1,25 @@
require 'rails_helper' require 'rails_helper'
describe PostActionUsersController do describe PostActionUsersController do
let!(:post) { Fabricate(:post, user: log_in) } let(:post) { Fabricate(:post, user: log_in) }
context 'with render' do
render_views
it 'always allows you to see your own actions' do
notify_mod = PostActionType.types[:notify_moderators]
PostAction.act(post.user, post, notify_mod, message: 'well something is wrong here!')
PostAction.act(Fabricate(:user), post, notify_mod, message: 'well something is not wrong here!')
xhr :get, :index, id: post.id, post_action_type_id: notify_mod
expect(response.status).to eq(200)
json = JSON.parse(response.body)
users = json["post_action_users"]
expect(users.length).to eq(1)
expect(users[0]["id"]).to eq(post.user.id)
end
end
it 'raises an error without an id' do it 'raises an error without an id' do
expect { expect {
@ -21,9 +39,8 @@ describe PostActionUsersController do
expect(response).to be_forbidden expect(response).to be_forbidden
end end
it 'raises an error when the post action type cannot be seen' do it 'raises an error when anon tries to look at an invalid action' do
Guardian.any_instance.expects(:can_see_post_actors?).with(instance_of(Topic), PostActionType.types[:like]).returns(false) xhr :get, :index, id: Fabricate(:post).id, post_action_type_id: PostActionType.types[:notify_moderators]
xhr :get, :index, id: post.id, post_action_type_id: PostActionType.types[:like]
expect(response).to be_forbidden expect(response).to be_forbidden
end end