FIX: non staff users part of allowed groups can only edit own event

FIX: non staff users part of allowed groups can only edit own event

diff --git a/plugin.rb b/plugin.rb
index cef6484..94281f1 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -151,15 +151,13 @@ after_initialize do
     if defined?(@can_create_discourse_post_event)
       return @can_create_discourse_post_event
     end
-    @can_create_discourse_post_event =
-      begin
-        return true if staff?
-        allowed_groups =
-          SiteSetting.discourse_post_event_allowed_on_groups.split('|').compact
-        allowed_groups.present? && groups.where(id: allowed_groups).exists?
-      rescue StandardError
-        false
-      end
+    @can_create_discourse_post_event = begin
+      return true if staff?
+      allowed_groups = SiteSetting.discourse_post_event_allowed_on_groups.to_s.split('|').compact
+      allowed_groups.present? && groups.where(id: allowed_groups).exists?
+    rescue StandardError
+      false
+    end
   end
 
   add_to_class(:guardian, :can_act_on_invitee?) do |invitee|
@@ -178,13 +176,12 @@ after_initialize do
     if defined?(@can_act_on_discourse_post_event)
       return @can_act_on_discourse_post_event
     end
-    @can_act_on_discourse_post_event =
-      begin
-        return true if admin?
-        can_create_discourse_post_event? || event.post.user_id == id
-      rescue StandardError
-        false
-      end
+    @can_act_on_discourse_post_event = begin
+      return true if staff?
+      can_create_discourse_post_event? && event.post.user_id == id
+    rescue StandardError
+      false
+    end
   end
 
   add_to_class(:guardian, :can_act_on_discourse_post_event?) do |event|
diff --git a/spec/jobs/export_post_event_report_csv_spec.rb b/spec/jobs/export_post_event_report_csv_spec.rb
index 0e6fdac..4a60d11 100644
--- a/spec/jobs/export_post_event_report_csv_spec.rb
+++ b/spec/jobs/export_post_event_report_csv_spec.rb
@@ -111,8 +111,18 @@ describe Jobs::ExportCsvFile do
       let(:topic) { Fabricate(:topic, user: user) }
       let(:post1) { Fabricate(:post, topic: topic, user: user) }
       let(:post_event) { Fabricate(:event, post: post1) }
+      let(:group_1) {
+        Fabricate(:group).tap do |g|
+          g.add(user)
+          g.save!
+        end
+      }
 
-      it 'doesn’t generate the upload' do
+      before do
+        SiteSetting.discourse_post_event_allowed_on_groups = group_1.id
+      end
+
+      it 'generates the upload' do
         begin
           expect do
             Jobs::ExportCsvFile.new.execute(
diff --git a/spec/models/discourse_post_event/user_spec.rb b/spec/models/discourse_post_event/user_spec.rb
new file mode 100644
index 0000000..c18de24
--- /dev/null
+++ b/spec/models/discourse_post_event/user_spec.rb
@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require_relative '../../fabricators/event_fabricator'
+
+describe User do
+  Event ||= DiscoursePostEvent::Event
+
+  before do
+    freeze_time DateTime.parse('2020-04-24 14:10')
+    Jobs.run_immediately!
+    SiteSetting.calendar_enabled = true
+    SiteSetting.discourse_post_event_enabled = true
+  end
+
+  describe '#can_act_on_discourse_post_event?' do
+    context 'user is staff' do
+      let(:user_1) { Fabricate(:user, admin: true) }
+      let(:user_2) { Fabricate(:user, admin: true) }
+      let(:topic_1) { Fabricate(:topic, user: user_2) }
+      let(:post_1) { Fabricate(:post, topic: topic_1, user: user_2) }
+      let(:post_event_1) { Fabricate(:event, post: post_1) }
+
+      it 'can act on the event' do
+        expect(user_1.can_act_on_discourse_post_event?(post_event_1)).to eq(true)
+      end
+    end
+
+    context 'user is not staff' do
+      let(:user_1) { Fabricate(:user) }
+
+      context 'user is in list of allowed groups' do
+        let(:group_1) {
+          Fabricate(:group).tap do |g|
+            g.add(user_1)
+            g.save!
+          end
+        }
+
+        before do
+          SiteSetting.discourse_post_event_allowed_on_groups = group_1.id
+        end
+
+        context 'user created the event' do
+          let(:topic_1) { Fabricate(:topic, user: user_1) }
+          let(:post_1) { Fabricate(:post, topic: topic_1, user: user_1) }
+          let(:post_event_1) { Fabricate(:event, post: post_1) }
+
+          it 'can act on the event' do
+            expect(user_1.can_act_on_discourse_post_event?(post_event_1)).to eq(true)
+          end
+        end
+
+        context 'user didn’t create the event' do
+          let(:user_2) { Fabricate(:user) }
+          let(:topic_1) { Fabricate(:topic, user: user_2) }
+          let(:post_1) { Fabricate(:post, topic: topic_1, user: user_2) }
+          let(:post_event_1) { Fabricate(:event, post: post_1) }
+
+          it 'cannot act on the event' do
+            expect(user_1.can_act_on_discourse_post_event?(post_event_1)).to eq(false)
+          end
+        end
+      end
+
+      context 'user is not in list of allowed groups' do
+        let(:topic_1) { Fabricate(:topic, user: user_1) }
+        let(:post_1) { Fabricate(:post, topic: topic_1, user: user_1) }
+        let(:post_event_1) { Fabricate(:event, post: post_1) }
+
+        it 'cannot act on the event' do
+          expect(user_1.can_act_on_discourse_post_event?(post_event_1)).to eq(false)
+        end
+      end
+    end
+  end
+end

GitHub sha: b7b62139

1 Like