Nil dereference in PostGuardian can_delete_post

RGJ · April 10, 2024, 12:18pm

PostGuardian.can_delete_post contains a user dereference which crashes when called when there is no user logged in. Calling it from a plugin so maybe this doesn’t happen in core at the moment.

It’s happening here:

return true if user.in_any_groups?(SiteSetting.delete_all_posts_and_topics_allowed_groups_map)

Suggestion is to either use the save navigation operator &. or change it to return true if user && user.in_any_groups? ...

Firepup650 · April 10, 2024, 12:58pm

Could you perhaps use @system as a user for this, since it should always have perms? (Also, doesn’t core do that too?)

RGJ · April 10, 2024, 2:12pm

I’m not sure you understand.

It’s not a problem that there is no user (and “no user” should equal “no permissions”). The problem is that the code assumes there is a user without checking, so it tries to see if “nothing” is in any groups.

Topic		Replies	Views
Updating deleted post through API returns Internal Server Error bug	3	660	May 21, 2018
Cannot delete user who is in a group bug	7	1130	March 14, 2018
API request for group members also returns unactivated accounts bug	2	477	October 29, 2019
All users are visible in @mentions autocomplete list support	6	710	July 12, 2022
Can't deselect group in user listing bug	2	538	November 2, 2021

Nil dereference in PostGuardian can_delete_post

Related Topics