From cef2d8dc825bf5401a094f2d65c03463260576a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Hanol?= Date: Fri, 7 Feb 2014 07:08:56 -0800 Subject: [PATCH] BUGFIX: make sure moderators can't view topics they aren't allowed to --- lib/topic_query.rb | 2 +- spec/components/topic_query_spec.rb | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/topic_query.rb b/lib/topic_query.rb index cee6faf2bdd..f0b097e108c 100644 --- a/lib/topic_query.rb +++ b/lib/topic_query.rb @@ -265,7 +265,7 @@ class TopicQuery end guardian = Guardian.new(@user) - unless guardian.is_staff? + if !guardian.is_admin? allowed_ids = guardian.allowed_category_ids if allowed_ids.length > 0 result = result.where('topics.category_id IS NULL or topics.category_id IN (?)', allowed_ids) diff --git a/spec/components/topic_query_spec.rb b/spec/components/topic_query_spec.rb index a530aa87baf..f0bcc754940 100644 --- a/spec/components/topic_query_spec.rb +++ b/spec/components/topic_query_spec.rb @@ -8,7 +8,7 @@ describe TopicQuery do let(:topic_query) { TopicQuery.new(user) } let(:moderator) { Fabricate(:moderator) } - let(:admin) { Fabricate(:moderator) } + let(:admin) { Fabricate(:admin) } context 'secure category' do @@ -27,8 +27,10 @@ describe TopicQuery do Topic.top_viewed(10).count.should == 0 Topic.recent(10).count.should == 0 - # mods can see every group and hidden topics - TopicQuery.new(moderator).list_latest.topics.count.should == 2 + # mods can see hidden topics + TopicQuery.new(moderator).list_latest.topics.count.should == 1 + # admins can see all the topics + TopicQuery.new(admin).list_latest.topics.count.should == 2 group.add(user) group.save