discourse/lib/guardian/user_guardian.rb

# mixin for all Guardian methods dealing with user permissions
module UserGuardian

  def can_edit_user?(user)
    is_me?(user) || is_staff?
  end

  def can_edit_username?(user)
    return false if (SiteSetting.sso_overrides_username? && SiteSetting.enable_sso?)
    return true if is_staff?
    return false if SiteSetting.username_change_period <= 0
    is_me?(user) && (user.post_count == 0 || user.created_at > SiteSetting.username_change_period.days.ago)
  end

  def can_edit_email?(user)
    return false if (SiteSetting.sso_overrides_email? && SiteSetting.enable_sso?)
    return false unless SiteSetting.email_editable?
    return true if is_staff?
    can_edit?(user)
  end

  def can_edit_name?(user)
    return false if not(SiteSetting.enable_names?)
    return false if (SiteSetting.sso_overrides_name? && SiteSetting.enable_sso?)
    return true if is_staff?
    can_edit?(user)
  end

  def can_see_notifications?(user)
    is_me?(user) || is_admin?
  end

  def can_block_user?(user)
    user && is_staff? && not(user.staff?)
  end

  def can_unblock_user?(user)
    user && is_staff?
  end

  def can_delete_user?(user)
    return false if user.nil? || user.admin?
    if is_me?(user)
      user.post_count <= 1
    else
      is_staff? && (user.first_post_created_at.nil? || user.first_post_created_at > SiteSetting.delete_user_max_post_age.to_i.days.ago)
    end
  end

  def can_check_emails?(user)
    is_admin? || (is_staff? && SiteSetting.show_email_on_profile)
  end

  def restrict_user_fields?(user)
    user.trust_level == TrustLevel[0] && anonymous?
  end

end
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`# mixin for all Guardian methods dealing with user permissions`
			`module UserGuardian`

			`def can_edit_user?(user)`
			`is_me?(user) \|\| is_staff?`
			`end`

			`def can_edit_username?(user)`
Disabled editing of SSO overridden fields 2014-03-08 01:16:49 -05:00			`return false if (SiteSetting.sso_overrides_username? && SiteSetting.enable_sso?)`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`return true if is_staff?`
			`return false if SiteSetting.username_change_period <= 0`
			`is_me?(user) && (user.post_count == 0 \|\| user.created_at > SiteSetting.username_change_period.days.ago)`
			`end`

			`def can_edit_email?(user)`
Disabled editing of SSO overridden fields 2014-03-08 01:16:49 -05:00			`return false if (SiteSetting.sso_overrides_email? && SiteSetting.enable_sso?)`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`return false unless SiteSetting.email_editable?`
BUG: staff should not be allowed to edit emails when email_editable is false 2014-08-14 22:41:01 -04:00			`return true if is_staff?`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`can_edit?(user)`
			`end`

Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right. 2014-03-13 16:26:40 -04:00			`def can_edit_name?(user)`
			`return false if not(SiteSetting.enable_names?)`
			`return false if (SiteSetting.sso_overrides_name? && SiteSetting.enable_sso?)`
			`return true if is_staff?`
			`can_edit?(user)`
			`end`

FEATURE: Actually show more notifications The "Show more notifications..." link in the notifications dropdown now links to /my/notifications, which is a historical view of all notifications you have recieved. Notification history is loaded in blocks of 60 at a time. Admins can see others' notification history. (This was requested for 'debugging purposes', though that's what impersonation is for, IMO.) 2014-09-02 21:32:27 -04:00			`def can_see_notifications?(user)`
			`is_me?(user) \|\| is_admin?`
			`end`

Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`def can_block_user?(user)`
			`user && is_staff? && not(user.staff?)`
			`end`

			`def can_unblock_user?(user)`
			`user && is_staff?`
			`end`

			`def can_delete_user?(user)`
FEATURE: flag dispositions normalization All flags should end up in one of the three dispositions - Agree - Disagree - Defer In the administration area, the active flags section displays 4 buttons - Agree (hide post + send PM) - Disagree - Defer - Delete Clicking "Delete" will open a modal that offer to - Delete Post & Defer Flags - Delete Post & Agree with Flags - Delete Spammer (if available) When the flag has a list associated, the list will now display 1 response and 1 reply and a "show more..." link if there are more in the conversation. Replying to the conversation will NOT give a disposition. Moderators must click the buttons that does that. If someone clicks one buttons, this will add a default moderator message from that moderator saying what happened. The old flags section now displays the proper dispositions and is super duper fast (no more N+9999 queries). FIX: the old list includes deleted topics FIX: the lists now properly display the topic states (deleted, closed, archived, hidden, PM) FIX: flagging a topic that you've already flagged the first post 2014-07-28 13:17:37 -04:00			`return false if user.nil? \|\| user.admin?`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`if is_me?(user)`
			`user.post_count <= 1`
			`else`
FEATURE: flag dispositions normalization All flags should end up in one of the three dispositions - Agree - Disagree - Defer In the administration area, the active flags section displays 4 buttons - Agree (hide post + send PM) - Disagree - Defer - Delete Clicking "Delete" will open a modal that offer to - Delete Post & Defer Flags - Delete Post & Agree with Flags - Delete Spammer (if available) When the flag has a list associated, the list will now display 1 response and 1 reply and a "show more..." link if there are more in the conversation. Replying to the conversation will NOT give a disposition. Moderators must click the buttons that does that. If someone clicks one buttons, this will add a default moderator message from that moderator saying what happened. The old flags section now displays the proper dispositions and is super duper fast (no more N+9999 queries). FIX: the old list includes deleted topics FIX: the lists now properly display the topic states (deleted, closed, archived, hidden, PM) FIX: flagging a topic that you've already flagged the first post 2014-07-28 13:17:37 -04:00			`is_staff? && (user.first_post_created_at.nil? \|\| user.first_post_created_at > SiteSetting.delete_user_max_post_age.to_i.days.ago)`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`end`
			`end`

FEATURE: hide emails behind a button for staff members 2014-09-29 16:31:05 -04:00			`def can_check_emails?(user)`
			`is_admin? \|\| (is_staff? && SiteSetting.show_email_on_profile)`
			`end`

FIX: hide restricted profile info from TL0 users to anonymous in 'JS-off' page 2014-11-27 13:51:13 -05:00			`def restrict_user_fields?(user)`
			`user.trust_level == TrustLevel[0] && anonymous?`
			`end`

Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right. 2014-03-13 16:26:40 -04:00			`end`