mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-11 04:41:20 +08:00
e229fa65a5
Admins can view the list of invites created by other users and they can see the delete button for invites in the list, but it currently doesn't actually delete anything due to a bug in the `invites#destroy` controller action where it looks up the invite record by the given id and expects it to be created by the current user, but when an invite is being deleted by an admin, this logic fails because the invite isn't created by the admin. This commit fixes the issue by removing this check for current user and adding a proper guardian check that validates the action is performed by either the user who created the invite or an admin. Internal topic: t/158288. |
||
|---|---|---|
| .. | ||
| bookmark_guardian.rb | ||
| category_guardian.rb | ||
| ensure_magic.rb | ||
| flag_guardian.rb | ||
| group_guardian.rb | ||
| invite_guardian.rb | ||
| localization_guardian.rb | ||
| post_guardian.rb | ||
| post_revision_guardian.rb | ||
| sidebar_guardian.rb | ||
| tag_guardian.rb | ||
| topic_guardian.rb | ||
| user_guardian.rb | ||
