Merge pull request #3826 from Karnaj/fix-3804

Empêche d’éditer un message masqué
zestedesavoir · Sep 7, 2016 · 8ca9dfe · 8ca9dfe
2 parents 31f88ad + e825076
commit 8ca9dfe
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/templates/forum/topic/index.html b/templates/forum/topic/index.html
@@ -139,7 +139,7 @@
     <a href="{% url 'topic-new' %}?forum={{ topic.forum.pk }}" class="new-btn ico-after more blue">
         {% trans "Nouveau sujet" %}
     </a>
-    {% if topic.author.pk == user.pk or is_staff %}
+    {% if topic.author.pk == user.pk and topic.first_post.is_visible or is_staff %}
     <a href="{% url 'topic-edit' %}?topic={{ topic.pk }}" class="new-btn ico-after edit blue">
         {% trans "Éditer le sujet" %}
     </a>

diff --git a/zds/forum/tests/tests_views.py b/zds/forum/tests/tests_views.py
@@ -1260,6 +1260,28 @@ def test_success_edit_post_alert_message(self):
         self.assertEqual(1, len(post.alerts.all()))
         self.assertEqual(text_expected, post.alerts.all()[0].text)
 
+    def test_failure_edit_post_hidden_message_by_non_staff(self):
+        """Test that a non staff cannot access the page to edit a hidden message"""
+
+        profile = ProfileFactory()
+        category, forum = create_category()
+        topic = add_topic_in_a_forum(forum, profile)
+
+        self.assertTrue(self.client.login(username=profile.user.username, password='hostel77'))
+        data = {
+            'delete_message': ''
+        }
+
+        response = self.client.post(
+            reverse('post-edit') + '?message={}'.format(topic.last_message.pk), data, follow=False)
+        self.assertEqual(302, response.status_code)
+
+        response = self.client.get(reverse('post-edit') + '?message={}'.format(topic.last_message.pk))
+        self.assertEqual(403, response.status_code)
+
+        response = self.client.get(reverse('topic-edit') + '?topic={}'.format(topic.pk), follow=False)
+        self.assertEqual(403, response.status_code)
+
 
 class PostUsefulTest(TestCase):
     def test_failure_post_useful_require_method_post(self):

diff --git a/zds/forum/views.py b/zds/forum/views.py
@@ -262,6 +262,8 @@ def dispatch(self, request, *args, **kwargs):
         if ('text' in request.POST or request.method == 'GET') \
                 and self.object.author != request.user and not request.user.has_perm('forum.change_topic'):
             raise PermissionDenied
+        if not self.object.first_post().is_visible and not request.user.has_perm('forum.change_topic'):
+            raise PermissionDenied
         if 'page' in request.POST:
             try:
                 self.page = int(request.POST.get('page'))
@@ -480,6 +482,8 @@ def dispatch(self, request, *args, **kwargs):
         if self.object.author != request.user and not request.user.has_perm(
                 'forum.change_post') and 'signal_message' not in request.POST:
             raise PermissionDenied
+        if not self.object.is_visible and not request.user.has_perm('forum.change_post'):
+            raise PermissionDenied
         return super(PostEdit, self).dispatch(request, *args, **kwargs)
 
     def get(self, request, *args, **kwargs):