Skip to content

Commit

Permalink
Override can_edit_proposal? permission method to consider anonymous a…
Browse files Browse the repository at this point in the history 
…uthorships
  • Loading branch information
@entantoencuanto
entantoencuanto committed Nov 5, 2021
1 parent b7e4cdb commit 016081c
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions app/permissions/decidim/anonymous_proposals/permissions_overrides.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,14 @@ def allow_anonymous_proposals?
def organization
@organization ||= context.fetch(:organization, nil) || context.fetch(:current_organization, nil)
end

def can_edit_proposal?
toggle_allow(proposal && (proposal.editable_by?(user) || anonymously_editable?))
end

def anonymously_editable?
allow_anonymous_proposals? && proposal.editable_by?(Decidim::UserGroup.where(organization: organization).anonymous.first)

This comment has been minimized.

Sign in to view

Copy link
@carlobeltrame

carlobeltrame Jan 18, 2022

Contributor

Doesn't this allow any anonymous user to edit all proposals by any other anonymous user? I.e. anyone can edit all anonymous proposals on the platform, as long as they're not signed in?

This comment has been minimized.

Sign in to view

Copy link
@entantoencuanto

entantoencuanto Jan 18, 2022

Author Member

Yes, but the proposals can be editable after published only for a time which can be configured (5 minutes by default) so if this time is set to 0 a not signed in user can only edit proposals in draft status and has to guess their URL, which is not public
end
end
end
end

0 comments on commit 016081c

Please sign in to comment.