meriksson
(Martin Eriksson)
7. Januar 2017 um 21:26
1
When creating a topic, the guardian check for permission to create is bypassed if skip_validations is set to true:
if topic_params[:import_mode] && @opts[:views].to_i > 0
topic_params[:views] = @opts[:views].to_i
end
# Automatically give it a moderator warning subtype if specified
topic_params[:subtype] = TopicSubtype.moderator_warning if @opts[:is_warning]
category = find_category
@guardian.ensure_can_create!(Topic, category) unless (@opts[:skip_validations] || @opts[:archetype] == Archetype.private_message)
topic_params[:category_id] = category.id if category.present?
topic_params[:created_at] = Time.zone.parse(@opts[:created_at].to_s) if @opts[:created_at].present?
topic_params[:pinned_at] = Time.zone.parse(@opts[:pinned_at].to_s) if @opts[:pinned_at].present?
topic_params[:pinned_globally] = @opts[:pinned_globally] if @opts[:pinned_globally].present?
if SiteSetting.topic_featured_link_enabled && @opts[:featured_link].present? && @guardian.can_edit_featured_link?(topic_params[:category_id])
topic_params[:featured_link] = @opts[:featured_link]
However, when creating a reply the equivalent check is not bypassed:
errors[:base] << I18n.t(:not_accepting_pms, username: users[m])
end
return false if errors[:base].present?
end
if new_topic?
topic_creator = TopicCreator.new(@user, guardian, @opts)
return false unless skip_validations? || validate_child(topic_creator)
else
@topic = Topic.find_by(id: @opts[:topic_id])
if (@topic.blank? || !guardian.can_create?(Post, @topic))
errors[:base] << I18n.t(:topic_not_found)
return false
end
end
setup_post
return true if skip_validations?
if @post.has_host_spam?
Perhaps I am missing something but this looks inconsistent to me, i.e. skip_validations should bypass the guardian check either in both cases or in none of them.
In any case, I fixed this because I needed it myself (to have an importer create posts in private categories). Here is what I did:
master ← martineriksson:post_creation_fix
closed 01:48PM - 11 Feb 17 UTC
https://meta.discourse.org/t/guardian-bypassed-through-skip-validations-in-topic… creator-but-not-in-postcreator/55341
2 „Gefällt mir“
Isambard
(Isambard)
20. März 2024 um 20:35
2
I think there is a bug in the skip validations.
When I use skip validations to create a Topic, this works and it is possible for user to create a topic in a category even if normally he would have no rights to do so.
However, when trying to reply to that same topic, the validation check is not skipped and this post create fails.
Ich bin gerade auch auf diesen Fehler gestoßen. Sehr frustrierend, dass Sie ihn vor 6 Jahren behoben und einen Pull Request herausgegeben haben, der am Ende nicht akzeptiert wurde.
1 „Gefällt mir“