From 285fd82c161706c97bc811839708e58925d7de57 Mon Sep 17 00:00:00 2001
From: joshua stein <jcs@jcs.org>
Date: Thu, 6 Mar 2014 13:54:30 -0600
Subject: [PATCH] check story tag permissions on editor, not creator

---
 app/controllers/stories_controller.rb |  6 +++---
 app/models/story.rb                   | 17 +++++++++--------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/app/controllers/stories_controller.rb b/app/controllers/stories_controller.rb
index 3bfb258..9416c81 100644
--- a/app/controllers/stories_controller.rb
+++ b/app/controllers/stories_controller.rb
@@ -34,7 +34,7 @@ class StoriesController < ApplicationController
     end
 
     @story.is_expired = true
-    @story.editor_user_id = @user.id
+    @story.editor = @user
 
     if params[:reason].present? && @story.user_id != @user.id
       @story.moderation_reason = params[:reason]
@@ -151,7 +151,7 @@ class StoriesController < ApplicationController
     end
 
     @story.is_expired = false
-    @story.editor_user_id = @user.id
+    @story.editor = @user
     @story.save(:validate => false)
 
     redirect_to @story.comments_url
@@ -164,7 +164,7 @@ class StoriesController < ApplicationController
     end
 
     @story.is_expired = false
-    @story.editor_user_id = @user.id
+    @story.editor = @user
 
     if @story.url_is_editable_by_user?(@user)
       @story.attributes = story_params
diff --git a/app/models/story.rb b/app/models/story.rb
index 152b12a..cca6042 100644
--- a/app/models/story.rb
+++ b/app/models/story.rb
@@ -18,7 +18,7 @@ class Story < ActiveRecord::Base
 
   attr_accessor :vote, :already_posted_story, :fetched_content, :previewing,
     :seen_previous
-  attr_accessor :editor_user_id, :moderation_reason
+  attr_accessor :editor, :moderation_reason
 
   before_validation :assign_short_id_and_upvote,
     :on => :create
@@ -143,13 +143,15 @@ class Story < ActiveRecord::Base
   # this has to happen just before save rather than in tags_a= because we need
   # to have a valid user_id
   def check_tags
+    u = self.editor || self.user
+
     self.taggings.each do |t|
-      if !t.tag.valid_for?(self.user)
-        raise "#{self.user.username} does not have permission to use " <<
-          "privileged tag #{t.tag.tag}"
+      if !t.tag.valid_for?(u)
+        raise "#{u.username} does not have permission to use privileged " <<
+          "tag #{t.tag.tag}"
       elsif t.tag.inactive? && !t.new_record?
         # stories can have inactive tags as long as they existed before
-        raise "#{self.user.username} cannot add inactive tag #{t.tag.tag}"
+        raise "#{u.username} cannot add inactive tag #{t.tag.tag}"
       end
     end
 
@@ -256,15 +258,14 @@ class Story < ActiveRecord::Base
   end
 
   def log_moderation
-    if self.new_record? || !self.editor_user_id ||
-    self.editor_user_id == self.user_id
+    if self.new_record? || !self.editor || self.editor.id == self.user_id
       return
     end
 
     all_changes = self.changes.merge(self.tagging_changes)
 
     m = Moderation.new
-    m.moderator_user_id = self.editor_user_id
+    m.moderator_user_id = self.editor.try(:id)
     m.story_id = self.id
 
     if all_changes["is_expired"] && self.is_expired?