FIX: only staff can banner topics

FIX: only staff can banner topics

diff --git a/app/assets/javascripts/discourse/templates/modal/feature-topic.hbs b/app/assets/javascripts/discourse/templates/modal/feature-topic.hbs
index 2bc1ce3..1e82906 100644
--- a/app/assets/javascripts/discourse/templates/modal/feature-topic.hbs
+++ b/app/assets/javascripts/discourse/templates/modal/feature-topic.hbs
@@ -110,37 +110,39 @@
       </div>
     </div>
   {{/if}}
-  <hr>
-  <div class="feature-section">
-    <div class="desc">
-      <p>
-        {{#conditional-loading-spinner size="small" condition=loading}}
-          {{#if bannerCount}}
-            {{{i18n "topic.feature_topic.banner_exists"}}}
+  {{#if currentUser.staff}}
+    <hr>
+    <div class="feature-section">
+      <div class="desc">
+        <p>
+          {{#conditional-loading-spinner size="small" condition=loading}}
+            {{#if bannerCount}}
+              {{{i18n "topic.feature_topic.banner_exists"}}}
+            {{else}}
+              {{{i18n "topic.feature_topic.no_banner_exists"}}}
+            {{/if}}
+          {{/conditional-loading-spinner}}
+        </p>
+        <p>
+          {{i18n "topic.feature_topic.banner_note"}}
+        </p>
+        <p>
+          {{#if model.isBanner}}
+            {{i18n "topic.feature_topic.remove_banner"}}
           {{else}}
-            {{{i18n "topic.feature_topic.no_banner_exists"}}}
+            {{i18n "topic.feature_topic.make_banner"}}
           {{/if}}
-        {{/conditional-loading-spinner}}
-      </p>
-      <p>
-        {{i18n "topic.feature_topic.banner_note"}}
-      </p>
-      <p>
-        {{#if model.isBanner}}
-          {{i18n "topic.feature_topic.remove_banner"}}
-        {{else}}
-          {{i18n "topic.feature_topic.make_banner"}}
-        {{/if}}
-      </p>
-      <p>
-        {{#if model.isBanner}}
-          {{d-button action=(action "removeBanner") icon="thumb-tack" label="topic.feature.remove_banner" class="btn-primary"}}
-        {{else}}
-          {{d-button action=(action "makeBanner") icon="thumb-tack" label="topic.feature.make_banner" class="btn-primary"}}
-        {{/if}}
-      </p>
+        </p>
+        <p>
+          {{#if model.isBanner}}
+            {{d-button action=(action "removeBanner") icon="thumb-tack" label="topic.feature.remove_banner" class="btn-primary"}}
+          {{else}}
+            {{d-button action=(action "makeBanner") icon="thumb-tack" label="topic.feature.make_banner" class="btn-primary"}}
+          {{/if}}
+        </p>
+      </div>
     </div>
-  </div>
+  {{/if}}
 {{/d-modal-body}}
 <div class="modal-footer">
   {{d-modal-cancel close=(route-action "closeModal")}}
diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb
index 016e127..00517b9 100644
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@@ -408,7 +408,7 @@ class TopicsController < ApplicationController
 
   def make_banner
     topic = Topic.find_by(id: params[:topic_id].to_i)
-    guardian.ensure_can_moderate!(topic)
+    guardian.ensure_can_banner_topic!(topic)
 
     topic.make_banner!(current_user)
 
@@ -417,7 +417,7 @@ class TopicsController < ApplicationController
 
   def remove_banner
     topic = Topic.find_by(id: params[:topic_id].to_i)
-    guardian.ensure_can_moderate!(topic)
+    guardian.ensure_can_banner_topic!(topic)
 
     topic.remove_banner!(current_user)
 
diff --git a/lib/guardian/topic_guardian.rb b/lib/guardian/topic_guardian.rb
index d001ab5..8f3fea0 100644
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@@ -154,4 +154,8 @@ module TopicGuardian
   def can_update_bumped_at?
     is_staff? || @user.has_trust_level?(TrustLevel[4])
   end
+
+  def can_banner_topic?(topic)
+    authenticated? && !topic.private_message? && is_staff?
+  end
 end
diff --git a/spec/requests/topics_controller_spec.rb b/spec/requests/topics_controller_spec.rb
index 36b4748..66e2c59 100644
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@@ -1907,8 +1907,8 @@ RSpec.describe TopicsController do
 
   describe '#make_banner' do
     it 'needs you to be a staff member' do
-      sign_in(Fabricate(:user))
-      put "/t/99/make-banner.json"
+      topic = Fabricate(:topic, user: sign_in(Fabricate(:trust_level_4)))
+      put "/t/#{topic.id}/make-banner.json"
       expect(response).to be_forbidden
     end
 
@@ -1926,8 +1926,8 @@ RSpec.describe TopicsController do
 
   describe '#remove_banner' do
     it 'needs you to be a staff member' do
-      sign_in(Fabricate(:user))
-      put "/t/99/remove-banner.json"
+      topic = Fabricate(:topic, user: sign_in(Fabricate(:trust_level_4)), archetype: Archetype.banner)
+      put "/t/#{topic.id}/remove-banner.json"
       expect(response).to be_forbidden
     end

GitHub sha: d68d29f3

This commit has been mentioned on Discourse Meta. There might be relevant details there: