FIX: Only staff can edit topic details when first post is locked (#10729)

FIX: Only staff can edit topic details when first post is locked (#10729)

diff --git a/lib/guardian/topic_guardian.rb b/lib/guardian/topic_guardian.rb
index 263163b..71cb561 100644
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@@ -74,6 +74,7 @@ module TopicGuardian
   def can_edit_topic?(topic)
     return false if Discourse.static_doc_topic_ids.include?(topic.id) && !is_admin?
     return false unless can_see?(topic)
+    return false if topic.first_post&.locked? && !is_staff?
 
     return true if is_admin?
     return true if is_moderator? && can_create_post?(topic)
diff --git a/spec/requests/topics_controller_spec.rb b/spec/requests/topics_controller_spec.rb
index 34ffad5..117c88b 100644
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@@ -1277,6 +1277,29 @@ RSpec.describe TopicsController do
           expect(response.status).to eq(200)
         end
 
+        describe "when first post is locked" do
+          it "blocks non-staff from editing even if 'trusted_users_can_edit_others' is true" do
+            SiteSetting.trusted_users_can_edit_others = true
+            user.update(trust_level: 3)
+            topic.first_post.update(locked_by_id: admin.id)
+
+            put "/t/#{topic.slug}/#{topic.id}.json", params: {
+              title: topic.title + " hello"
+            }
+            expect(response.status).to eq(403)
+          end
+
+          it "allows staff to edit" do
+            sign_in(Fabricate(:admin))
+            topic.first_post.update(locked_by_id: admin.id)
+
+            put "/t/#{topic.slug}/#{topic.id}.json", params: {
+              title: topic.title + " hello"
+            }
+            expect(response.status).to eq(200)
+          end
+        end
+
         context 'tags' do
           fab!(:tag) { Fabricate(:tag) }
 

GitHub sha: 9f73e877

This commit appears in #10729 which was approved by eviltrout. It was merged by markvanlan.

We should always prefer update! over update if we’re not checking for the return value. This is to ensure that the record has been successfully updated.

1 Like

Do we allow moderators to edit as well? The description is for staff but we’re only testing as an admin.

1 Like