From: Tom Hughes <tom@compton.nu>
Date: Fri, 26 Jul 2024 16:50:29 +0000 (+0100)
Subject: Merge remote-tracking branch 'upstream/pull/5021'
X-Git-Tag: live~860
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/8990de156fba39383532bca59db4d907306ff5d3?hp=a67fdc7d28b0317835337bfce578259fdcc0118f

Merge remote-tracking branch 'upstream/pull/5021'
---

diff --git a/app/controllers/user_blocks_controller.rb b/app/controllers/user_blocks_controller.rb
index 3ab217a60..664ac5681 100644
--- a/app/controllers/user_blocks_controller.rb
+++ b/app/controllers/user_blocks_controller.rb
@@ -63,8 +63,9 @@ class UserBlocksController < ApplicationController
 
   def update
     if @valid_params
-      if @user_block.creator != current_user
-        flash[:error] = t(".only_creator_can_edit")
+      if current_user != @user_block.creator &&
+         current_user != @user_block.revoker
+        flash[:error] = t(@user_block.revoker ? ".only_creator_or_revoker_can_edit" : ".only_creator_can_edit")
         redirect_to :action => "edit"
       elsif @user_block.update(
         :ends_at => Time.now.utc + @block_period.hours,
diff --git a/app/views/user_blocks/_block.html.erb b/app/views/user_blocks/_block.html.erb
index 461dc7a8d..a18d1dbdb 100644
--- a/app/views/user_blocks/_block.html.erb
+++ b/app/views/user_blocks/_block.html.erb
@@ -15,7 +15,8 @@
     <% end %>
   </td>
   <td><%= link_to t(".show"), block %></td>
-  <td><% if current_user and current_user.id == block.creator_id %><%= link_to t(".edit"), edit_user_block_path(block) %><% end %></td>
+  <td><% if current_user && (current_user.id == block.creator_id ||
+                             current_user.id == block.revoker_id) %><%= link_to t(".edit"), edit_user_block_path(block) %><% end %></td>
   <% if show_revoke_link %>
   <td><% if block.active? %><%= link_to t(".revoke"), revoke_user_block_path(block) %><% end %></td>
   <% end %>
diff --git a/app/views/user_blocks/show.html.erb b/app/views/user_blocks/show.html.erb
index 619cd6c3f..c36c043cf 100644
--- a/app/views/user_blocks/show.html.erb
+++ b/app/views/user_blocks/show.html.erb
@@ -26,9 +26,12 @@
   <dd class="col-sm-9"><div class="richtext text-break"><%= @user_block.reason.to_html %></div></dd>
 </dl>
 
-<% if current_user&.id == @user_block.creator_id || can?(:revoke, UserBlock) && @user_block.active? %>
+<% if current_user && (current_user.id == @user_block.creator_id ||
+                       current_user.id == @user_block.revoker_id) ||
+      can?(:revoke, UserBlock) && @user_block.active? %>
   <div>
-    <% if current_user&.id == @user_block.creator_id %>
+    <% if current_user && (current_user.id == @user_block.creator_id ||
+                           current_user.id == @user_block.revoker_id) %>
       <%= link_to t(".edit"), edit_user_block_path(@user_block), :class => "btn btn-outline-primary" %>
     <% end %>
     <% if can?(:revoke, UserBlock) && @user_block.active? %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 2b83fec1f..dc7f1a1c0 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2940,6 +2940,7 @@ en:
       flash: "Created a block on user %{name}."
     update:
       only_creator_can_edit: "Only the moderator who created this block can edit it."
+      only_creator_or_revoker_can_edit: "Only the moderators who created or revoked this block can edit it."
       success: "Block updated."
     index:
       title: "User blocks"
diff --git a/test/controllers/user_blocks_controller_test.rb b/test/controllers/user_blocks_controller_test.rb
index dd0b1287b..2e9d79ef7 100644
--- a/test/controllers/user_blocks_controller_test.rb
+++ b/test/controllers/user_blocks_controller_test.rb
@@ -212,22 +212,9 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest
     check_block_buttons block, :edit => 1
 
     session_for(revoker_user)
-    check_block_buttons block
-  end
-
-  private
-
-  def check_block_buttons(block, edit: 0, revoke: 0)
-    [user_blocks_path, user_block_path(block)].each do |path|
-      get path
-      assert_response :success
-      assert_select "a[href='#{edit_user_block_path block}']", :count => edit
-      assert_select "a[href='#{revoke_user_block_path block}']", :count => revoke
-    end
+    check_block_buttons block, :edit => 1
   end
 
-  public
-
   ##
   # test the new action
   def test_new
@@ -483,23 +470,32 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest
     assert_equal "Original Reason", block.reason
 
     session_for(creator_user)
+    check_block_updates(block)
+  end
+
+  ##
+  # test the update action on revoked blocks
+  def test_update_revoked
+    creator_user = create(:moderator_user)
+    revoker_user = create(:moderator_user)
+    other_moderator_user = create(:moderator_user)
+    block = create(:user_block, :revoked, :creator => creator_user, :revoker => revoker_user, :reason => "Original Reason")
+
+    session_for(other_moderator_user)
     put user_block_path(block,
                         :user_block_period => "0",
                         :user_block => { :needs_view => false, :reason => "Updated Reason" })
-    assert_redirected_to user_block_path(block)
-    assert_equal "Block updated.", flash[:notice]
+    assert_redirected_to edit_user_block_path(block)
+    assert_equal "Only the moderators who created or revoked this block can edit it.", flash[:error]
     block.reload
-    assert_not block.active?
-    assert_equal "Updated Reason", block.reason
+    assert_not_predicate block, :active?
+    assert_equal "Original Reason", block.reason
 
-    put user_block_path(block,
-                        :user_block_period => "0",
-                        :user_block => { :needs_view => true, :reason => "Updated Reason 2" })
-    assert_redirected_to user_block_path(block)
-    assert_equal "Block updated.", flash[:notice]
-    block.reload
-    assert_predicate block, :active?
-    assert_equal "Updated Reason 2", block.reason
+    session_for(creator_user)
+    check_block_updates(block)
+
+    session_for(revoker_user)
+    check_block_updates(block)
   end
 
   ##
@@ -794,6 +790,35 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest
 
   private
 
+  def check_block_buttons(block, edit: 0, revoke: 0)
+    [user_blocks_path, user_block_path(block)].each do |path|
+      get path
+      assert_response :success
+      assert_select "a[href='#{edit_user_block_path block}']", :count => edit
+      assert_select "a[href='#{revoke_user_block_path block}']", :count => revoke
+    end
+  end
+
+  def check_block_updates(block)
+    put user_block_path(block,
+                        :user_block_period => "0",
+                        :user_block => { :needs_view => false, :reason => "Updated Reason" })
+    assert_redirected_to user_block_path(block)
+    assert_equal "Block updated.", flash[:notice]
+    block.reload
+    assert_not_predicate block, :active?
+    assert_equal "Updated Reason", block.reason
+
+    put user_block_path(block,
+                        :user_block_period => "0",
+                        :user_block => { :needs_view => true, :reason => "Updated Reason 2" })
+    assert_redirected_to user_block_path(block)
+    assert_equal "Block updated.", flash[:notice]
+    block.reload
+    assert_predicate block, :active?
+    assert_equal "Updated Reason 2", block.reason
+  end
+
   def check_user_blocks_table(user_blocks)
     assert_dom "table#block_list tbody tr" do |rows|
       assert_equal user_blocks.count, rows.count, "unexpected number of rows in user blocks table"