FIX: ignore min_trust_to_send_messages when messaging groups (#8104)

FIX: ignore min_trust_to_send_messages when messaging groups (#8104)

This means that TL0 users can message groups with “Who can message this group?” set to “Everyone”.

It also means that members of a group with “Who can message this group?” set to “members, moderators and admins” can also message the group, even when their trust level is below min_trust_to_send_messages.

diff --git a/lib/guardian.rb b/lib/guardian.rb
index 79ac550..883386e 100644
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@@ -407,7 +407,7 @@ class Guardian
     # User is authenticated
     authenticated? &&
     # Have to be a basic level at least
-    (@user.has_trust_level?(SiteSetting.min_trust_to_send_messages) || notify_moderators) &&
+    (is_group || @user.has_trust_level?(SiteSetting.min_trust_to_send_messages) || notify_moderators) &&
     # User disabled private message
     (is_staff? || is_group || target.user_option.allow_private_messages) &&
     # PMs are enabled
diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb
index 0dddab7..ac8efd8 100644
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@@ -19,6 +19,7 @@ describe Guardian do
   fab!(:automatic_group) { Fabricate(:group, automatic: true) }
   fab!(:plain_category) { Fabricate(:category) }
 
+  let(:trust_level_0) { build(:user, trust_level: 0) }
   let(:trust_level_1) { build(:user, trust_level: 1) }
   let(:trust_level_2) { build(:user, trust_level: 2) }
   let(:trust_level_3) { build(:user, trust_level: 3) }
@@ -346,12 +347,24 @@ describe Guardian do
       end
     end
 
+    it "allows TL0 to message group with messageable_level = everyone" do
+      group.update!(messageable_level: Group::ALIAS_LEVELS[:everyone])
+      expect(Guardian.new(trust_level_0).can_send_private_message?(group)).to eq(true)
+      expect(Guardian.new(user).can_send_private_message?(group)).to eq(true)
+    end
+
     it "respects the group members messageable_level" do
       group.update!(messageable_level: Group::ALIAS_LEVELS[:members_mods_and_admins])
       expect(Guardian.new(user).can_send_private_message?(group)).to eq(false)
 
       group.add(user)
       expect(Guardian.new(user).can_send_private_message?(group)).to eq(true)
+
+      expect(Guardian.new(trust_level_0).can_send_private_message?(group)).to eq(false)
+
+      #  group membership trumps min_trust_to_send_messages setting
+      group.add(trust_level_0)
+      expect(Guardian.new(trust_level_0).can_send_private_message?(group)).to eq(true)
     end
 
     it "respects the group owners messageable_level" do

GitHub sha: c6cfbebf

1 Like

This commit has been mentioned on Discourse Meta. There might be relevant details there: