check story tag permissions on editor, not creator

2014-03-06 13:54:30 -06:00 · 2014-03-06 13:54:30 -06:00 · 285fd82c16
parent d729d0ad99
commit 285fd82c16
2 changed files with 12 additions and 11 deletions
--- a/app/controllers/stories_controller.rb
+++ b/app/controllers/stories_controller.rb
@ -34,7 +34,7 @@ class StoriesController < ApplicationController
    end

    @story.is_expired = true
-    @story.editor_user_id = @user.id
+    @story.editor = @user

    if params[:reason].present? && @story.user_id != @user.id
      @story.moderation_reason = params[:reason]
@ -151,7 +151,7 @@ class StoriesController < ApplicationController
    end

    @story.is_expired = false
-    @story.editor_user_id = @user.id
+    @story.editor = @user
    @story.save(:validate => false)

    redirect_to @story.comments_url
@ -164,7 +164,7 @@ class StoriesController < ApplicationController
    end

    @story.is_expired = false
-    @story.editor_user_id = @user.id
+    @story.editor = @user

    if @story.url_is_editable_by_user?(@user)
      @story.attributes = story_params
--- a/app/models/story.rb
+++ b/app/models/story.rb
@ -18,7 +18,7 @@ class Story < ActiveRecord::Base

  attr_accessor :vote, :already_posted_story, :fetched_content, :previewing,
    :seen_previous
-  attr_accessor :editor_user_id, :moderation_reason
+  attr_accessor :editor, :moderation_reason

  before_validation :assign_short_id_and_upvote,
    :on => :create
@ -143,13 +143,15 @@ class Story < ActiveRecord::Base
  # this has to happen just before save rather than in tags_a= because we need
  # to have a valid user_id
  def check_tags
+    u = self.editor || self.user
+
    self.taggings.each do |t|
-      if !t.tag.valid_for?(self.user)
-        raise "#{self.user.username} does not have permission to use " <<
-          "privileged tag #{t.tag.tag}"
+      if !t.tag.valid_for?(u)
+        raise "#{u.username} does not have permission to use privileged " <<
+          "tag #{t.tag.tag}"
      elsif t.tag.inactive? && !t.new_record?
        # stories can have inactive tags as long as they existed before
-        raise "#{self.user.username} cannot add inactive tag #{t.tag.tag}"
+        raise "#{u.username} cannot add inactive tag #{t.tag.tag}"
      end
    end

@ -256,15 +258,14 @@ class Story < ActiveRecord::Base
  end

  def log_moderation
-    if self.new_record? || !self.editor_user_id ||
-    self.editor_user_id == self.user_id
+    if self.new_record? || !self.editor || self.editor.id == self.user_id
      return
    end

    all_changes = self.changes.merge(self.tagging_changes)

    m = Moderation.new
-    m.moderator_user_id = self.editor_user_id
+    m.moderator_user_id = self.editor.try(:id)
    m.story_id = self.id

    if all_changes["is_expired"] && self.is_expired?