security fix, anon should not be treated as though they can create anything

SamSaffron · SamSaffron · commit 7df4e4afb9af · 2013-10-13T09:54:48.000+11:00
diff --git a/app/models/category.rb b/app/models/category.rb
@@ -50,11 +50,19 @@ class Category < ActiveRecord::Base
   }
 
   scope :topic_create_allowed, ->(guardian) {
-    scoped_to_permissions(guardian, [:full])
+    if guardian.anonymous?
+      where("1=0")
+    else
+      scoped_to_permissions(guardian, [:full])
+    end
   }
 
   scope :post_create_allowed, ->(guardian) {
-    scoped_to_permissions(guardian, [:create_post, :full])
+    if guardian.anonymous?
+      where("1=0")
+    else
+      scoped_to_permissions(guardian, [:create_post, :full])
+    end
   }
   delegate :post_template, to: 'self.class'
 
diff --git a/spec/models/category_spec.rb b/spec/models/category_spec.rb
@@ -67,11 +67,12 @@
       can_post_category.save
 
       Category.post_create_allowed(guardian).count.should == 3
-    end
 
-  end
+      # anonymous has permission to create no topics
+      guardian = Guardian.new(nil)
+      Category.post_create_allowed(guardian).count.should == 0
 
-  describe "post_create_allowed" do
+    end
 
   end
 

Original file line number	Diff line number	Diff line change
`@@ -50,11 +50,19 @@ class Category < ActiveRecord::Base`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`scope :topic_create_allowed, ->(guardian) {`
`53`		`- scoped_to_permissions(guardian, [:full])`
	`53`	`+ if guardian.anonymous?`
	`54`	`+ where("1=0")`
	`55`	`+ else`
	`56`	`+ scoped_to_permissions(guardian, [:full])`
	`57`	`+ end`
`54`	`58`	`}`
`55`	`59`
`56`	`60`	`scope :post_create_allowed, ->(guardian) {`
`57`		`- scoped_to_permissions(guardian, [:create_post, :full])`
	`61`	`+ if guardian.anonymous?`
	`62`	`+ where("1=0")`
	`63`	`+ else`
	`64`	`+ scoped_to_permissions(guardian, [:create_post, :full])`
	`65`	`+ end`
`58`	`66`	`}`
`59`	`67`	`delegate :post_template, to: 'self.class'`
`60`	`68`