add update_lock permission

hummingbird-me · Nov 1, 2020 · ae78d02 · ae78d02
1 parent 73cc3d1
commit ae78d02
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/app/graphql/mutations/post/lock_post.rb b/app/graphql/mutations/post/lock_post.rb
@@ -14,7 +14,7 @@ def load_post(value)
   end
 
   def authorized?(post:)
-    super(post, :update?)
+    super(post, :update_lock?)
   end
 
   def resolve(post:)

diff --git a/app/graphql/mutations/post/unlock_post.rb b/app/graphql/mutations/post/unlock_post.rb
@@ -14,7 +14,7 @@ def load_post(value)
   end
 
   def authorized?(post:)
-    super(post, :update?)
+    super(post, :update_lock?)
   end
 
   def resolve(post:)

diff --git a/app/policies/post_policy.rb b/app/policies/post_policy.rb
@@ -5,6 +5,7 @@ def update?
     return false unless user
     return false if user.has_role?(:banned)
     return true if is_admin?
+    # NOTE: this is required to be here because posts are updated through json-api
     return false if record.locked?
     return true if group && has_group_permission?(:content)
     is_owner?
@@ -36,6 +37,13 @@ def group
     record.target_group
   end
 
+  def update_lock?
+    return true if is_admin?
+    return true if group && has_group_permission(:content)
+
+    false
+  end
+
   class Scope < Scope
     def resolve
       return scope if is_admin?