mirror of
https://github.com/discourse/discourse.git
synced 2026-03-04 01:15:08 +08:00
395e793092
The ReviewableNotesController used an unscoped Reviewable.find which allowed category group moderators to create/delete notes on any reviewable, including those in categories they do not moderate. Replace with Reviewable.viewable_by to properly scope the lookup.
43 lines
1.1 KiB
Ruby
43 lines
1.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class ReviewableNotesController < ApplicationController
|
|
before_action :ensure_can_see
|
|
before_action :find_reviewable
|
|
|
|
def create
|
|
note = @reviewable.reviewable_notes.build(note_params)
|
|
note.user = current_user
|
|
|
|
if note.save
|
|
# Reload to ensure associations are loaded
|
|
note.reload
|
|
render json: ReviewableNoteSerializer.new(note, scope: guardian, root: false)
|
|
else
|
|
render json: { errors: note.errors.full_messages }, status: :unprocessable_entity
|
|
end
|
|
end
|
|
|
|
def destroy
|
|
note = @reviewable.reviewable_notes.find(params[:note_id])
|
|
|
|
# Only allow the author or admin to delete notes
|
|
raise Discourse::InvalidAccess unless note.user == current_user || current_user.admin?
|
|
|
|
note.destroy!
|
|
render json: success_json
|
|
end
|
|
|
|
private
|
|
|
|
def find_reviewable
|
|
@reviewable = Reviewable.viewable_by(current_user, preload: false).find(params[:reviewable_id])
|
|
end
|
|
|
|
def note_params
|
|
params.require(:reviewable_note).permit(:content)
|
|
end
|
|
|
|
def ensure_can_see
|
|
Guardian.new(current_user).ensure_can_see_review_queue!
|
|
end
|
|
end
|
