discourse/lib/guardian/user_guardian.rb

# frozen_string_literal: true

# mixin for all Guardian methods dealing with user permissions
module UserGuardian

  def can_claim_reviewable_topic?(topic)
    SiteSetting.reviewable_claiming != 'disabled' && can_review_topic?(topic)
  end

  def can_pick_avatar?(user_avatar, upload)
    return false unless self.user
    return true if is_admin?
    # can always pick blank avatar
    return true if !upload
    return true if user_avatar.contains_upload?(upload.id)
    return true if upload.user_id == user_avatar.user_id || upload.user_id == user.id

    UserUpload.exists?(upload_id: upload.id, user_id: user.id)
  end

  def can_edit_user?(user)
    is_me?(user) || is_staff?
  end

  def can_edit_username?(user)
    return false if SiteSetting.sso_overrides_username? && SiteSetting.enable_sso?
    return true if is_staff?
    return false if SiteSetting.username_change_period <= 0
    return false if is_anonymous?
    is_me?(user) && ((user.post_count + user.topic_count) == 0 || user.created_at > SiteSetting.username_change_period.days.ago)
  end

  def can_edit_email?(user)
    return false if SiteSetting.sso_overrides_email? && SiteSetting.enable_sso?
    return false unless SiteSetting.email_editable?
    return true if is_staff?
    return false if is_anonymous?
    can_edit?(user)
  end

  def can_edit_name?(user)
    return false unless SiteSetting.enable_names?
    return false if SiteSetting.sso_overrides_name? && SiteSetting.enable_sso?
    return true if is_staff?
    return false if is_anonymous?
    can_edit?(user)
  end

  def can_see_notifications?(user)
    is_me?(user) || is_admin?
  end

  def can_silence_user?(user)
    user && is_staff? && not(user.staff?)
  end

  def can_unsilence_user?(user)
    user && is_staff?
  end

  def can_delete_user?(user)
    return false if user.nil? || user.admin?
    if is_me?(user)
      !SiteSetting.enable_sso &&
      !user.has_more_posts_than?(SiteSetting.delete_user_self_max_post_count)
    else
      is_staff? && (
        user.first_post_created_at.nil? ||
          !user.has_more_posts_than?(User::MAX_STAFF_DELETE_POST_COUNT) ||
          user.first_post_created_at > SiteSetting.delete_user_max_post_age.to_i.days.ago
      )
    end
  end

  def can_anonymize_user?(user)
    is_staff? && !user.nil? && !user.staff?
  end

  def can_merge_user?(user)
    is_admin? && !user.nil? && !user.staff?
  end

  def can_merge_users?(source_user, target_user)
    can_merge_user?(source_user) && !target_user.nil?
  end

  def can_reset_bounce_score?(user)
    user && is_staff?
  end

  def can_check_emails?(user)
    is_admin? || (is_staff? && SiteSetting.moderators_view_emails)
  end

  def restrict_user_fields?(user)
    user.trust_level == TrustLevel[0] && anonymous?
  end

  def can_see_staff_info?(user)
    user && is_staff?
  end

  def can_see_suspension_reason?(user)
    return true unless SiteSetting.hide_suspension_reasons?
    user == @user || is_staff?
  end

  def can_disable_second_factor?(user)
    user && can_administer_user?(user)
  end

  def can_see_profile?(user)
    return false if user.blank?

    # If a user has hidden their profile, restrict it to them and staff
    if user.user_option.try(:hide_profile_and_presence?)
      return is_me?(user) || is_staff?
    end

    true
  end

  def allowed_user_field_ids(user)
    @allowed_user_field_ids ||= {}

    is_staff_or_is_me = is_staff? || is_me?(user)
    cache_key = is_staff_or_is_me ? :staff_or_me : :other

    @allowed_user_field_ids[cache_key] ||=
      begin
        if is_staff_or_is_me
          UserField.pluck(:id)
        else
          UserField.where("show_on_profile OR show_on_user_card").pluck(:id)
        end
      end
  end

  def can_feature_topic?(user, topic)
    return false if topic.nil?
    return false if !SiteSetting.allow_featured_topic_on_user_profiles?
    return false if !is_me?(user) && !is_staff?
    return false if !topic.visible
    return false if topic.read_restricted_category? || topic.private_message?
    true
  end

  def can_see_review_queue?
    is_staff? || (
      SiteSetting.enable_category_group_review &&
      Reviewable
        .where(reviewable_by_group_id: @user.group_users.pluck(:group_id))
        .where('category_id IS NULL or category_id IN (?)', allowed_category_ids)
        .exists?
    )
  end

  def can_see_summary_stats?(target_user)
    true
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`# mixin for all Guardian methods dealing with user permissions`
			`module UserGuardian`

FEATURE: Claim Reviewables by Topic This is a feature that used to be present in discourse-assign but is much easier to implement in core. It also allows a topic to be assigned without it claiming for review and vice versa and allows it to work with category group reviewers. 2019-05-08 10:20:51 -04:00			`def can_claim_reviewable_topic?(topic)`
			`SiteSetting.reviewable_claiming != 'disabled' && can_review_topic?(topic)`
			`end`

SECURITY: only allow picking of avatars created by self (#6417) * SECURITY: only allow picking of avatars created by self Also adds origin tracking to all uploads including de-duplicated uploads 2018-09-20 01:33:10 -04:00			`def can_pick_avatar?(user_avatar, upload)`
			`return false unless self.user`
			`return true if is_admin?`
			`# can always pick blank avatar`
			`return true if !upload`
			`return true if user_avatar.contains_upload?(upload.id)`
			`return true if upload.user_id == user_avatar.user_id \|\| upload.user_id == user.id`

SECURITY: Users can pick non-avatar uploads. https://meta.discourse.org/t/bug-report-idor-on-avatar-pick-function-discussions-udacity-com/103564 2018-12-18 00:37:45 -05:00			`UserUpload.exists?(upload_id: upload.id, user_id: user.id)`
SECURITY: only allow picking of avatars created by self (#6417) * SECURITY: only allow picking of avatars created by self Also adds origin tracking to all uploads including de-duplicated uploads 2018-09-20 01:33:10 -04:00			`end`

Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`def can_edit_user?(user)`
			`is_me?(user) \|\| is_staff?`
			`end`

			`def can_edit_username?(user)`
FIX: prevent anonymous users from changing their email/username/name (#7311) 2019-04-17 04:05:02 -04:00			`return false if SiteSetting.sso_overrides_username? && SiteSetting.enable_sso?`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`return true if is_staff?`
			`return false if SiteSetting.username_change_period <= 0`
FIX: prevent anonymous users from changing their email/username/name (#7311) 2019-04-17 04:05:02 -04:00			`return false if is_anonymous?`
FIX: be consistent with how first posts in topics are counted. do like DirectoryItem.refresh_period :all 2017-11-09 18:05:53 -05:00			`is_me?(user) && ((user.post_count + user.topic_count) == 0 \|\| user.created_at > SiteSetting.username_change_period.days.ago)`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`end`

			`def can_edit_email?(user)`
FIX: prevent anonymous users from changing their email/username/name (#7311) 2019-04-17 04:05:02 -04:00			`return false if SiteSetting.sso_overrides_email? && SiteSetting.enable_sso?`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`return false unless SiteSetting.email_editable?`
BUG: staff should not be allowed to edit emails when email_editable is false 2014-08-14 22:41:01 -04:00			`return true if is_staff?`
FIX: prevent anonymous users from changing their email/username/name (#7311) 2019-04-17 04:05:02 -04:00			`return false if is_anonymous?`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`can_edit?(user)`
			`end`

Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right. 2014-03-13 16:26:40 -04:00			`def can_edit_name?(user)`
FIX: prevent anonymous users from changing their email/username/name (#7311) 2019-04-17 04:05:02 -04:00			`return false unless SiteSetting.enable_names?`
			`return false if SiteSetting.sso_overrides_name? && SiteSetting.enable_sso?`
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right. 2014-03-13 16:26:40 -04:00			`return true if is_staff?`
FIX: prevent anonymous users from changing their email/username/name (#7311) 2019-04-17 04:05:02 -04:00			`return false if is_anonymous?`
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right. 2014-03-13 16:26:40 -04:00			`can_edit?(user)`
			`end`

FEATURE: Actually show more notifications The "Show more notifications..." link in the notifications dropdown now links to /my/notifications, which is a historical view of all notifications you have recieved. Notification history is loaded in blocks of 60 at a time. Admins can see others' notification history. (This was requested for 'debugging purposes', though that's what impersonation is for, IMO.) 2014-09-02 21:32:27 -04:00			`def can_see_notifications?(user)`
			`is_me?(user) \|\| is_admin?`
			`end`

Rename "Blocked" to "Silenced" 2017-11-10 12:18:08 -05:00			`def can_silence_user?(user)`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`user && is_staff? && not(user.staff?)`
			`end`

Rename "Blocked" to "Silenced" 2017-11-10 12:18:08 -05:00			`def can_unsilence_user?(user)`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`user && is_staff?`
			`end`

			`def can_delete_user?(user)`
FEATURE: flag dispositions normalization All flags should end up in one of the three dispositions - Agree - Disagree - Defer In the administration area, the active flags section displays 4 buttons - Agree (hide post + send PM) - Disagree - Defer - Delete Clicking "Delete" will open a modal that offer to - Delete Post & Defer Flags - Delete Post & Agree with Flags - Delete Spammer (if available) When the flag has a list associated, the list will now display 1 response and 1 reply and a "show more..." link if there are more in the conversation. Replying to the conversation will NOT give a disposition. Moderators must click the buttons that does that. If someone clicks one buttons, this will add a default moderator message from that moderator saying what happened. The old flags section now displays the proper dispositions and is super duper fast (no more N+9999 queries). FIX: the old list includes deleted topics FIX: the lists now properly display the topic states (deleted, closed, archived, hidden, PM) FIX: flagging a topic that you've already flagged the first post 2014-07-28 13:17:37 -04:00			`return false if user.nil? \|\| user.admin?`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`if is_me?(user)`
FIX: Disallow user self-delete when user posted in PMs All posts created by the user are counted unless they are deleted, belong to a PM sent between a non-human user and the user or belong to a PM created by the user which doesn't have any other recipients. It also makes the guardian prevent self-deletes when SSO is enabled. 2019-08-10 06:02:12 -04:00			`!SiteSetting.enable_sso &&`
FEATURE: Allow admins to disable self-service account deletion https://meta.discourse.org/t/-/146276 2020-04-01 16:10:17 -04:00			`!user.has_more_posts_than?(SiteSetting.delete_user_self_max_post_count)`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`else`
FIX: Disallow user self-delete when user posted in PMs All posts created by the user are counted unless they are deleted, belong to a PM sent between a non-human user and the user or belong to a PM created by the user which doesn't have any other recipients. It also makes the guardian prevent self-deletes when SSO is enabled. 2019-08-10 06:02:12 -04:00			`is_staff? && (`
			`user.first_post_created_at.nil? \|\|`
			`!user.has_more_posts_than?(User::MAX_STAFF_DELETE_POST_COUNT) \|\|`
			`user.first_post_created_at > SiteSetting.delete_user_max_post_age.to_i.days.ago`
			`)`
Users who have made no more than one post can delete their own accounts from their user preferences page. 2014-02-13 11:42:35 -05:00			`end`
			`end`

FEATURE: Anonymize User. A way to remove a user but keep their topics and posts. 2015-03-06 16:44:54 -05:00			`def can_anonymize_user?(user)`
			`is_staff? && !user.nil? && !user.staff?`
			`end`

UX: display 'merge' button in all non-staff user profiles. 2020-04-22 08:12:09 -04:00			`def can_merge_user?(user)`
			`is_admin? && !user.nil? && !user.staff?`
			`end`

			`def can_merge_users?(source_user, target_user)`
			`can_merge_user?(source_user) && !target_user.nil?`
FEATURE: admin UI to merge two users. (#9509) 2020-04-22 04:37:51 -04:00			`end`

Lots bounce emails related fixes - Show bounce score on user admin page - Added reset bounce score button on user admin page - Only whitelisted email types are sent to emails with high bounce score - FIX: properly detect bounces even when there is no TO: header in the email - Don't desactivate a user when reaching the bounce threshold 2016-05-06 13:34:33 -04:00			`def can_reset_bounce_score?(user)`
			`user && is_staff?`
			`end`

FEATURE: hide emails behind a button for staff members 2014-09-29 16:31:05 -04:00			`def can_check_emails?(user)`
REFACTOR: Rename site settings to make them less confusing 2019-03-13 17:30:25 -04:00			`is_admin? \|\| (is_staff? && SiteSetting.moderators_view_emails)`
FEATURE: hide emails behind a button for staff members 2014-09-29 16:31:05 -04:00			`end`

FIX: hide restricted profile info from TL0 users to anonymous in 'JS-off' page 2014-11-27 13:51:13 -05:00			`def restrict_user_fields?(user)`
			`user.trust_level == TrustLevel[0] && anonymous?`
			`end`

PERF: fix performance issue when displaying the user card for admins 2015-01-05 13:49:32 -05:00			`def can_see_staff_info?(user)`
			`user && is_staff?`
			`end`

FEATURE: Site Setting to hide suspension reason on the public profile 2017-09-12 16:06:01 -04:00			`def can_see_suspension_reason?(user)`
			`return true unless SiteSetting.hide_suspension_reasons?`
			`user == @user \|\| is_staff?`
			`end`

FEATURE: Implement 2factor login TOTP implemented review items. Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds. I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail. Translatable texts. Move second factor logic to a helper class. Move second factor specific controller endpoints to its own controller. Move serialization logic for 2-factor details in admin user views. Add a login ember component for de-duplication Fix up code formatting Change verbiage of google authenticator add controller tests: second factor controller tests change email tests change password tests admin login tests add qunit tests - password reset, preferences fix: check for 2factor on change email controller fix: email controller - only show second factor errors on attempt fix: check against 'true' to enable second factor. Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP add two factor to email signin link rate limit if second factor token present add rate limiter test for second factor attempts 2017-12-21 20:18:12 -05:00			`def can_disable_second_factor?(user)`
			`user && can_administer_user?(user)`
			`end`

FEATURE: Option to disable user presence and profile This allows users who are privacy conscious to disable the presence features of the forum as well as their public profile. 2018-10-10 13:00:08 -04:00			`def can_see_profile?(user)`
			`return false if user.blank?`

			`# If a user has hidden their profile, restrict it to them and staff`
			`if user.user_option.try(:hide_profile_and_presence?)`
			`return is_me?(user) \|\| is_staff?`
			`end`

			`true`
			`end`

FIX: Do not serialize user fields unless they are specified for display (#6736) 2018-12-07 05:57:28 -05:00			`def allowed_user_field_ids(user)`
			`@allowed_user_field_ids \|\|= {}`
PERF: Memoize allowed user fields more efficiently (#8968) Previously we were caching by user_id, but the there are only two possible outcomes. Therefore we only need to cache two values. This removes another N+1 query when serializing multiple user cards. 2020-02-14 09:47:16 -05:00
			`is_staff_or_is_me = is_staff? \|\| is_me?(user)`
			`cache_key = is_staff_or_is_me ? :staff_or_me : :other`

			`@allowed_user_field_ids[cache_key] \|\|=`
FIX: Do not serialize user fields unless they are specified for display (#6736) 2018-12-07 05:57:28 -05:00			`begin`
PERF: Memoize allowed user fields more efficiently (#8968) Previously we were caching by user_id, but the there are only two possible outcomes. Therefore we only need to cache two values. This removes another N+1 query when serializing multiple user cards. 2020-02-14 09:47:16 -05:00			`if is_staff_or_is_me`
FIX: Do not serialize user fields unless they are specified for display (#6736) 2018-12-07 05:57:28 -05:00			`UserField.pluck(:id)`
			`else`
			`UserField.where("show_on_profile OR show_on_user_card").pluck(:id)`
			`end`
			`end`
			`end`
FEATURE: Featured topic for user profile & card (#8461) 2019-12-09 14:15:47 -05:00
			`def can_feature_topic?(user, topic)`
FIX: Error message for 403 when featuring topic on profile (#9149) 2020-03-09 12:41:07 -04:00			`return false if topic.nil?`
FEATURE: Featured topic for user profile & card (#8461) 2019-12-09 14:15:47 -05:00			`return false if !SiteSetting.allow_featured_topic_on_user_profiles?`
			`return false if !is_me?(user) && !is_staff?`
FIX: Disallow featuring hidden topics (#8814) 2020-01-30 11:00:49 -05:00			`return false if !topic.visible`
FEATURE: Featured topic for user profile & card (#8461) 2019-12-09 14:15:47 -05:00			`return false if topic.read_restricted_category? \|\| topic.private_message?`
FEATURE: Users can feature any public topic on his/her profile (#8809) 2020-01-29 11:10:23 -05:00			`true`
FEATURE: Featured topic for user profile & card (#8461) 2019-12-09 14:15:47 -05:00			`end`
FIX: Only show the review page to users that can see it. Do not publish the reviewable count update message to everyone. (#9556) 2020-04-27 13:51:25 -04:00
			`def can_see_review_queue?`
			`is_staff? \|\| (`
			`SiteSetting.enable_category_group_review &&`
			`Reviewable`
			`.where(reviewable_by_group_id: @user.group_users.pluck(:group_id))`
			`.where('category_id IS NULL or category_id IN (?)', allowed_category_ids)`
			`.exists?`
			`)`
			`end`
DEV: Allow plugins to hide user stats by new guardian method (#9772) 2020-05-14 12:57:35 -04:00
			`def can_see_summary_stats?(target_user)`
			`true`
			`end`
Adding name to the list of uneditable items in preferences UI * If enable_names, enable_sso, and sso_overrides_name settings are true. * Added serialization of can_edit_name so the UI has access to the right. 2014-03-13 16:26:40 -04:00			`end`