Fix #155 -- Ensure users cannot reply to locked topics

ellmetha · Apr 4, 2019 · 4bc73d8 · 4bc73d8
1 parent 5f4ba84
commit 4bc73d8
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/machina/apps/forum_conversation/views.py b/machina/apps/forum_conversation/views.py
@@ -632,7 +632,6 @@ class PostCreateView(PermissionRequiredMixin, PostFormView):
     """ Allows users to create forum posts. """
 
     model = Post
-    permission_required = ['can_reply_to_topics', ]
     template_name = 'forum_conversation/post_create.html'
 
     def get(self, request, *args, **kwargs):
@@ -664,7 +663,7 @@ def get_context_data(self, **kwargs):
 
     def get_controlled_object(self):
         """ Returns the controlled object. """
-        return self.get_forum()
+        return self.get_topic()
 
     def get_success_url(self):
         """ Returns the URL to redirect the user to upon valid form processing. """
@@ -681,6 +680,10 @@ def get_success_url(self):
             self.forum_post.pk,
         )
 
+    def perform_permissions_check(self, user, obj, perms):
+        """ Performs the permission check. """
+        return self.request.forum_permission_handler.can_add_post(obj, user)
+
 
 class PostUpdateView(PermissionRequiredMixin, PostFormView):
     """ Allows users to update forum topics. """

diff --git a/tests/functional/apps/forum_conversation/test_views.py b/tests/functional/apps/forum_conversation/test_views.py
@@ -951,6 +951,24 @@ def test_cannot_be_browsed_by_users_who_cannot_reply_to_topics(self):
         # Check
         assert response.status_code == 403
 
+    def test_cannot_be_browsed_by_users_when_the_topic_is_locked(self):
+        # Setup
+        self.topic.status = Topic.TOPIC_LOCKED
+        self.topic.save()
+        correct_url = reverse(
+            'forum_conversation:post_create',
+            kwargs={
+                'forum_slug': self.top_level_forum.slug,
+                'forum_pk': self.top_level_forum.pk,
+                'topic_slug': self.topic.slug,
+                'topic_pk': self.topic.pk,
+            }
+        )
+        # Run
+        response = self.client.get(correct_url, follow=True)
+        # Check
+        assert response.status_code == 403
+
     def test_embed_the_current_topic_into_the_context(self):
         # Setup
         correct_url = reverse(