osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

FIX: Make ChatMessageUpdater check editing access for guardian (#18902)

Browse Source 
Follow up to 766bcbc684

This fixes a gaffe from that commit where I passed in the
guardian to ChatMessageUpdater but then forgot to remove
the old way of setting the guardian and user instance variables
from the chat_message that was passed in.

Also, it moves the ensure_can_edit_message! check from the
controller into ChatMessageUpdater so all the access
checks are in the same place.
This commit is contained in:
Martin Brennan
2022-11-08 09:04:18 +10:00
committed by GitHub
parent 20dc27232e
commit c66743ee3d
4 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plugins/chat/spec/components/chat_message_updater_spec.rb
+14 -4
View File
@@ -31,10 +31,7 @@ describe Chat::ChatMessageUpdater do
end
Group.refresh_automatic_groups!
@direct_message_channel =
Chat::DirectMessageChannelCreator.create!(
acting_user: user1,
target_users: [user1, user2],
)
Chat::DirectMessageChannelCreator.create!(acting_user: user1, target_users: [user1, user2])
end
def create_chat_message(user, message, channel, upload_ids: nil)
@@ -71,6 +68,19 @@ describe Chat::ChatMessageUpdater do
expect(chat_message.reload.message).to eq(og_message)
end
it "errors if a user other than the message user is trying to edit the message" do
og_message = "This won't be changed!"
chat_message = create_chat_message(user1, og_message, public_chat_channel)
new_message = "2 short"
updater = Chat::ChatMessageUpdater.update(
guardian: Guardian.new(Fabricate(:user)),
chat_message: chat_message,
new_content: new_message,
)
expect(updater.failed?).to eq(true)
expect(updater.error).to match(Discourse::InvalidAccess)
end
it "it updates a messages content" do
chat_message = create_chat_message(user1, "This will be changed", public_chat_channel)
new_message = "Change to this!"
plugins/chat/spec/requests/chat_controller_spec.rb
+3 -3
View File
@@ -532,7 +532,7 @@ RSpec.describe Chat::ChatController do
it "raises an invalid request" do
put "/chat/#{chat_channel.id}/edit/#{chat_message.id}.json", params: { new_message: "Hi" }
expect(response.status).to eq(403)
expect(response.status).to eq(422)
end
end
@@ -540,7 +540,7 @@ RSpec.describe Chat::ChatController do
sign_in(Fabricate(:user))
put "/chat/#{chat_channel.id}/edit/#{chat_message.id}.json", params: { new_message: "edit!" }
expect(response.status).to eq(403)
expect(response.status).to eq(422)
end
it "errors when staff tries to edit another user's message" do
@@ -551,7 +551,7 @@ RSpec.describe Chat::ChatController do
params: {
new_message: new_message,
}
expect(response.status).to eq(403)
expect(response.status).to eq(422)
end
it "allows a user to edit their own messages" do