FIX: Allow category group reviewers to edit queued posts

FIX: Allow category group reviewers to edit queued posts

They can edit title, body and tags. Category is disabled for now as it could lead to some odd security issues.

diff --git a/app/models/reviewable_queued_post.rb b/app/models/reviewable_queued_post.rb
index 30c854d..2933dff 100644
--- a/app/models/reviewable_queued_post.rb
+++ b/app/models/reviewable_queued_post.rb
@@ -36,11 +36,14 @@ class ReviewableQueuedPost < Reviewable
   end
 
   def build_editable_fields(fields, guardian, args)
-    return unless guardian.is_staff?
 
     # We can edit category / title if it's a new topic
     if topic_id.blank?
-      fields.add('category_id', :category)
+
+      # Only staff can edit category for now, since in theory a category group reviewer could
+      # post in a category they don't have access to.
+      fields.add('category_id', :category) if guardian.is_staff?
+
       fields.add('payload.title', :text)
       fields.add('payload.tags', :tags)
     end
diff --git a/spec/models/reviewable_queued_post_spec.rb b/spec/models/reviewable_queued_post_spec.rb
index 5507615..08478c6 100644
--- a/spec/models/reviewable_queued_post_spec.rb
+++ b/spec/models/reviewable_queued_post_spec.rb
@@ -137,15 +137,22 @@ RSpec.describe ReviewableQueuedPost, type: :model do
     let(:reviewable) { Fabricate(:reviewable_queued_post_topic, category: category) }
 
     context "editing" do
-      let(:guardian) { Guardian.new(moderator) }
 
       it "is editable and returns the fields" do
-        fields = reviewable.editable_for(guardian)
+        fields = reviewable.editable_for(Guardian.new(moderator))
         expect(fields.has?('category_id')).to eq(true)
         expect(fields.has?('payload.raw')).to eq(true)
         expect(fields.has?('payload.title')).to eq(true)
         expect(fields.has?('payload.tags')).to eq(true)
       end
+
+      it "is editable by a category group reviewer" do
+        fields = reviewable.editable_for(Guardian.new(Fabricate(:user)))
+        expect(fields.has?('category_id')).to eq(false)
+        expect(fields.has?('payload.raw')).to eq(true)
+        expect(fields.has?('payload.title')).to eq(true)
+        expect(fields.has?('payload.tags')).to eq(true)
+      end
     end
 
     it "returns the appropriate create options for a topic" do

GitHub sha: 885f1e7e

1 Like

This commit has been mentioned on Discourse Meta. There might be relevant details there: