mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-04-29 12:22:03 +08:00
4b9ee0bc05
The suspend/silence endpoint accepted an arbitrary post_id with post_action "edit". Because the edit action had no guardian check, a moderator could target any static doc post (ToS, guidelines, privacy policy) — posts moderators are explicitly blocked from editing — even ones unrelated to the user being suspended. Add the missing can_edit_post? guardian check to the edit action, consistent with the existing checks on delete and delete_replies. |
||
|---|---|---|
| .. | ||
| action | ||
| policy | ||
| bulk_destroy.rb | ||
| silence.rb | ||
| suspend.rb | ||
