Fixes an issue where permission checks aren't made for guest users,

due to the gate being accessed after the check whether the user is registered/signed in.
flarum · Sep 11, 2019 · ea84fc4 · ea84fc4
1 parent e2ec52c
commit ea84fc4
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/src/User/AssertPermissionTrait.php b/src/User/AssertPermissionTrait.php
@@ -60,13 +60,18 @@ protected function assertRegistered(User $actor)
      */
     protected function assertCan(User $actor, $ability, $arguments = [])
     {
+        // Identify whether guest or user has the permission.
+        $can = $actor->can($ability, $arguments);
+
         // For non-authenticated users, we throw a different exception to signal
         // that logging in may help.
-        $this->assertRegistered($actor);
+        if (! $can) {
+            $this->assertRegistered($actor);
+        }
 
         // If we're logged in, then we need to communicate that the current
         // account simply does not have enough permissions.
-        $this->assertPermission($actor->can($ability, $arguments));
+        $this->assertPermission($can);
     }
 
     /**