FIX: Guardian#can_remove_allowed_users? shouldn't break for ownerless topics

FIX: Guardian#can_remove_allowed_users? shouldn’t break for ownerless topics

A topic can outlive its original author. TopicGuardian should still work in this situation.

diff --git a/lib/guardian/topic_guardian.rb b/lib/guardian/topic_guardian.rb
index 33f5d83..842f44c 100644
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@@ -5,7 +5,7 @@ module TopicGuardian
 
   def can_remove_allowed_users?(topic, target_user = nil)
     is_staff? ||
-    (topic.user == user && user.has_trust_level?(TrustLevel[2])) ||
+    (topic.user == @user && @user.has_trust_level?(TrustLevel[2])) ||
     (
       topic.allowed_users.count > 1 &&
       topic.user != target_user &&
diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb
index 8927ea3..6c4ddd1 100644
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@@ -3503,6 +3503,21 @@ describe Guardian do
         end
       end
     end
+
+    context "anonymous users" do
+      fab!(:topic) { Fabricate(:topic) }
+
+      it 'should be false' do
+        expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
+      end
+
+      it 'should be false when the topic does not have a user (for example because the user was removed)' do
+        DB.exec("UPDATE topics SET user_id=NULL WHERE id=#{topic.id}")
+        topic.reload
+
+        expect(Guardian.new.can_remove_allowed_users?(topic)).to eq(false)
+      end
+    end
   end
 
   describe '#auth_token' do

GitHub sha: 9cf77372

1 Like