mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-08 22:15:06 +08:00
96b725a11c
In a PM, if a user has made a post, and is later removed from the PM, they can still edit their own post. This can be done either if they happen to have a composer open in an active tab, or by just manually sending an HTTP request. The post guardian is missing a basic check, can_see_post_topic? when we determine whether a user can edit a post or not. This basic check is already in place when we determine whether a user can see the post in the first place. This PR adds in the missing check, so that if the user tries to edit their post after being removed, they'll receive a 403. It also adds a MessageBus message scoped to the affected user and topic when they are removed from the PM, which will redirect them to their inbox. This helps avoid a stale tab where they are still in the PM which they by right can now no longer see. |
||
|---|---|---|
| .. | ||
| bookmark_guardian.rb | ||
| category_guardian.rb | ||
| ensure_magic.rb | ||
| flag_guardian.rb | ||
| group_guardian.rb | ||
| post_guardian.rb | ||
| post_revision_guardian.rb | ||
| sidebar_guardian.rb | ||
| tag_guardian.rb | ||
| topic_guardian.rb | ||
| user_guardian.rb | ||
