Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/lib/guardian/topic_guardian.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

203 lines
6.2 KiB
Ruby
Raw Normal View History

DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging
2019-05-02 18:17:27 -04:00
# frozen_string_literal: true
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
#mixin for all guardian methods dealing with topic permisions
module TopicGuardian
FEATURE: Allow user to leave a PM.
2017-10-10 04:26:56 -04:00
def can_remove_allowed_users?(topic, target_user = nil)
is_staff? ||
FIX: Guardian#can_remove_allowed_users? shouldn't break for ownerless topics A topic can outlive its original author. TopicGuardian should still work in this situation.
2020-06-19 05:04:05 -04:00
(topic.user == @user && @user.has_trust_level?(TrustLevel[2])) ||
FEATURE: Allow user to leave a PM.
2017-10-10 04:26:56 -04:00
(
topic.allowed_users.count > 1 &&
topic.user != target_user &&
!!(target_user && user == target_user)
)
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
end
FEATURE: Flag count in post menu This change shows a notification number besides the flag icon in the post menu if there is reviewable content associated with the post. Additionally, if there is pending stuff to review, the icon has a red background. We have also removed the list of links below a post with the flag status. A reviewer is meant to click the number beside the flag icon to view the flags. As a consequence of losing those links, we've removed the ability to undo or ignore flags below a post.
2019-05-03 14:26:37 -04:00
def can_review_topic?(topic)
return false if anonymous? || topic.nil?
return true if is_staff?
SiteSetting.enable_category_group_review? &&
topic.category.present? &&
topic.category.reviewable_by_group_id.present? &&
GroupUser.where(group_id: topic.category.reviewable_by_group_id, user_id: user.id).exists?
end
FEATURE: Shared Drafts This feature can be enabled by choosing a destination for the `shared drafts category` site setting. * Staff members can create shared drafts, choosing a destination category for the topic when it is published. * Shared Drafts can be viewed in their category, or above the topic list for the destination category where it will end up. * When the shared draft is ready, it can be published to the appropriate category by clicking a button on the topic view. * When published, Drafts change their timestamps to the current time, and any edits to the original post are removed.
2018-03-13 15:59:12 -04:00
def can_create_shared_draft?
is_staff? && SiteSetting.shared_drafts_enabled?
end
FIX: return an error if a user tries to whisper This commit fixes a bug where a user creates a whisper post via the api but is posted as a regular message because they don't have access to whisper. Now a 403 unauthorized will be returned instead of the whisper param just being ignored for regular users. Staff users should not be affected by this change. https://meta.discourse.org/t/a-whisper-is-posted-as-a-message-if-the-user-is-not-staff-moderator-admin-when-using-the-api/116601
2019-05-07 13:34:15 -04:00
def can_create_whisper?
is_staff? && SiteSetting.enable_whispers?
end
FEATURE: Shared Drafts This feature can be enabled by choosing a destination for the `shared drafts category` site setting. * Staff members can create shared drafts, choosing a destination category for the topic when it is published. * Shared Drafts can be viewed in their category, or above the topic list for the destination category where it will end up. * When the shared draft is ready, it can be published to the appropriate category by clicking a button on the topic view. * When published, Drafts change their timestamps to the current time, and any edits to the original post are removed.
2018-03-13 15:59:12 -04:00
def can_publish_topic?(topic, category)
is_staff? && can_see?(topic) && can_create_topic?(category)
end
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
# Creating Methods
def can_create_topic?(parent)
Moderators should always be able to create topics too
2014-06-09 15:21:01 -04:00
is_staff? ||
FIX: admins should be able to create topics, even if min_trust_to_create_topic is higher than their trust level
2014-06-09 11:03:10 -04:00
(user &&
user.trust_level >= SiteSetting.min_trust_to_create_topic.to_i &&
FIX: do not allow creation of topic if there is no category available for posting (#7786)
2019-06-26 07:02:53 -04:00
can_create_post?(parent) &&
Category.topic_create_allowed(self).limit(1).count == 1)
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
end
def can_create_topic_on_category?(category)
SECURITY: ensure users have permission when moving categories
2018-03-01 20:13:04 -05:00
# allow for category to be a number as well
FIX: Couldn't move a topic into the uncategorized category.
2018-03-12 22:20:47 -04:00
category_id = Category === category ? category.id : category
SECURITY: ensure users have permission when moving categories
2018-03-01 20:13:04 -05:00
BUGFIX: make the system_user an elder (TL=4) Otherwise it won't be able to create topic when the `min_trust_to_create_topic` is > 0
2014-01-21 09:21:38 -05:00
can_create_topic?(nil) &&
SECURITY: ensure users have permission when moving categories
2018-03-01 20:13:04 -05:00
(!category || Category.topic_create_allowed(self).where(id: category_id).count == 1)
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
end
FEATURE: per-category approval settings (#5778) - disallow moving topics to a category that requires topic approval
2018-07-12 22:51:08 -04:00
def can_move_topic_to_category?(category)
category = Category === category ? category : Category.find(category || SiteSetting.uncategorized_category_id)
is_staff? || (can_create_topic_on_category?(category) && !category.require_topic_approval?)
end
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
def can_create_post_on_topic?(topic)
# No users can create posts on deleted topics
FIX: Don't enqueue posts if the user can't create them (ex: closed)
2016-09-09 12:15:56 -04:00
return false if topic.blank?
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
return false if topic.trashed?
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 01:59:38 -04:00
return true if is_admin?
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 01:59:38 -04:00
trusted = (authenticated? && user.has_trust_level?(TrustLevel[4])) || is_moderator?
(!(topic.closed? || topic.archived?) || trusted) && can_create_post?(topic)
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
end
# Editing Method
def can_edit_topic?(topic)
FIX: only admin can edit faq, tos, and privacy policy
2014-07-29 10:40:02 -04:00
return false if Discourse.static_doc_topic_ids.include?(topic.id) && !is_admin?
FIX: People could retitle restricted topics Sort of a security fix but not really
2015-02-26 00:08:52 -05:00
return false unless can_see?(topic)
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 01:59:38 -04:00
return true if is_admin?
return true if is_moderator? && can_create_post?(topic)
FIX: trust level 3 should not be able to edit topics in categories that restrict them from doing so
2016-06-01 15:41:56 -04:00
# can't edit topics in secured categories where you don't have permission to create topics
DEV: correct edge case introduced in 333b5a19 We need to allow users to edit uncategorized topics out of uncategorized when for some reason admin just turns it off.
2019-06-26 03:53:29 -04:00
# except for a tiny edge case where the topic is uncategorized and you are trying
# to fix it but uncategorized is disabled
if (
SiteSetting.allow_uncategorized_topics ||
topic.category_id != SiteSetting.uncategorized_category_id
)
return false if !can_create_topic_on_category?(topic.category)
end
FIX: trust level 3 should not be able to edit topics in categories that restrict them from doing so
2016-06-01 15:41:56 -04:00
FIX: TL3 users should not be able to edit title of archived topics
2016-01-28 14:05:56 -05:00
# TL4 users can edit archived topics, but can not edit private messages
New site setting `trusted_users_can_edit_others` The default is true to keep with previous discourse behavior. If disabled, high trust level users cannot edit the topics or posts of other users.
2018-02-22 20:39:24 -05:00
return true if (
SiteSetting.trusted_users_can_edit_others? &&
topic.archived &&
!topic.private_message? &&
user.has_trust_level?(TrustLevel[4]) &&
can_create_post?(topic)
)
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 01:59:38 -04:00
FIX: TL3 users should not be able to edit title of archived topics
2016-01-28 14:05:56 -05:00
# TL3 users can not edit archived topics and private messages
New site setting `trusted_users_can_edit_others` The default is true to keep with previous discourse behavior. If disabled, high trust level users cannot edit the topics or posts of other users.
2018-02-22 20:39:24 -05:00
return true if (
SiteSetting.trusted_users_can_edit_others? &&
!topic.archived &&
!topic.private_message? &&
user.has_trust_level?(TrustLevel[3]) &&
can_create_post?(topic)
)
FIX: Permission issues when editing topics If a user can't create a topic in a category, they should'be be able to edit topics.
2015-04-30 17:03:51 -04:00
FIX: staff should be able to edit topics that have been archived
2014-08-15 12:44:58 -04:00
return false if topic.archived
FIX: Don't allow users to edit topic information when the OP is locked see: https://meta.discourse.org/t/user-able-to-edit-title-of-locked-post/104826
2019-06-18 14:22:38 -04:00
is_my_own?(topic) &&
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
!topic.edit_time_limit_expired?(user) &&
FIX: Don't allow users to edit topic information when the OP is locked see: https://meta.discourse.org/t/user-able-to-edit-title-of-locked-post/104826
2019-06-18 14:22:38 -04:00
!Post.where(topic_id: topic.id, post_number: 1).where.not(locked_by_id: nil).exists?
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
end
# Recovery Method
def can_recover_topic?(topic)
FEATURE: Let users delete their own topics. (#7267)
2019-03-29 12:10:05 -04:00
if is_staff?
FIX: Recovered posts with no user will be taken over by system user (#8834)
2020-02-06 03:19:04 -05:00
!!(topic && topic.deleted_at)
FEATURE: Let users delete their own topics. (#7267)
2019-03-29 12:10:05 -04:00
else
topic && can_recover_post?(topic.ordered_posts.first)
end
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
end
def can_delete_topic?(topic)
!topic.trashed? &&
FIX: Let users delete topics. Follow-up to 31053f30dea876395774fc646c50ba3b638acd97.
2019-03-29 15:59:19 -04:00
(is_staff? || (is_my_own?(topic) && topic.posts_count <= 1 && topic.created_at && topic.created_at > 24.hours.ago)) &&
FEATURE: Let users delete their own topics. (#7267)
2019-03-29 12:10:05 -04:00
!topic.is_category_topic? &&
Prevent deleting the static page doc topics
2014-08-13 17:02:44 -04:00
!Discourse.static_doc_topic_ids.include?(topic.id)
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
end
FEATURE: move a topic from PM to regular topic or vice versa
2016-05-01 07:48:43 -04:00
def can_convert_topic?(topic)
FIX: Disable "Make Personal Message" if they are disabled
2018-03-02 20:28:39 -05:00
return false unless SiteSetting.enable_personal_messages?
Don't allow category definition topics to be converted to PMs (#5216)
2017-10-02 04:04:58 -04:00
return false if topic.blank?
PERF: Avoid running the same query twice in `TopicViewSerializer#details`.
2018-05-24 04:41:51 -04:00
return false if topic.trashed?
return false if topic.is_category_topic?
FEATURE: allow moderators to convert a private message to public topic or vice versa
2016-05-04 12:29:56 -04:00
return true if is_admin?
is_moderator? && can_create_post?(topic)
FEATURE: move a topic from PM to regular topic or vice versa
2016-05-01 07:48:43 -04:00
end
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
def can_reply_as_new_topic?(topic)
FEATURE: reply as new message to the same recipients
2016-11-29 12:59:42 -05:00
authenticated? && topic && @user.has_trust_level?(TrustLevel[1])
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
end
FEATURE: Hide deleted posts by default for staff
2014-07-15 17:02:43 -04:00
def can_see_deleted_topics?
is_staff?
end
small topic/category guardians refactor
2016-06-27 08:36:57 -04:00
def can_see_topic?(topic, hide_deleted = true)
BUGFIX: could not see the revisions of a post in a deleted topic
2014-05-12 10:30:10 -04:00
return false unless topic
FIX: moderators can't see private topics that they aren't invited to see.
2014-05-12 15:26:36 -04:00
return true if is_admin?
small topic/category guardians refactor
2016-06-27 08:36:57 -04:00
return false if hide_deleted && topic.deleted_at && !can_see_deleted_topics?
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
FIX: logic for can_see_topic?
2014-08-05 00:37:28 -04:00
if topic.private_message?
small topic/category guardians refactor
2016-06-27 08:36:57 -04:00
return authenticated? && topic.all_allowed_users.where(id: @user.id).exists?
FIX: logic for can_see_topic?
2014-08-05 00:37:28 -04:00
end
Merge pull request from GHSA-569c-22ff-pj3x
2020-01-16 13:17:16 -05:00
category = topic.category
can_see_category?(category) &&
FIX: Notify staged users about private categories (#8765) group membership and `CategoryUser` notification level should be respected to determine whether to notify staged users about activity in private categories, instead of only ever generating notifications for staged users' own topics (which has been the behaviour since 0c4ac2a7bc726176b1d76b98f789a35e5d1bddfc)
2020-01-22 14:33:25 -05:00
(!category.read_restricted || !is_staged? || secure_category_ids.include?(category.id) || topic.user == user)
Easier helper for filtering secured categories
2015-02-12 11:52:59 -05:00
end
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
FEATURE: opt-in guidance on topics for users without access (#7852) Co-Authored-By: majakomel <maja.komel@gmail.com> Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-04 04:12:39 -04:00
def can_get_access_to_topic?(topic)
topic&.access_topic_via_group.present? && authenticated?
end
Easier helper for filtering secured categories
2015-02-12 11:52:59 -05:00
def filter_allowed_categories(records)
unless is_admin?
allowed_ids = allowed_category_ids
if allowed_ids.length > 0
records = records.where('topics.category_id IS NULL or topics.category_id IN (?)', allowed_ids)
else
records = records.where('topics.category_id IS NULL')
end
records = records.references(:categories)
end
records
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 18:25:14 -05:00
end
Easier helper for filtering secured categories
2015-02-12 11:52:59 -05:00
FEATURE: Allow posting a link with topics
2016-12-05 07:31:43 -05:00
def can_edit_featured_link?(category_id)
Topic Featured Links: move data from custom fields to topics and categories tables. Invert behaviour of topic_featured_link_allowed checkbox. Fix a bug with invalid topic records due to changing that category checkbox.
2016-12-15 17:46:43 -05:00
return false unless SiteSetting.topic_featured_link_enabled
FIX: uncategorized setting to control whether topic featured links are allowed
2016-12-20 15:55:30 -05:00
Category.where(id: category_id || SiteSetting.uncategorized_category_id, topic_featured_link_allowed: true).exists?
FEATURE: Allow posting a link with topics
2016-12-05 07:31:43 -05:00
end
FEATURE: Add "Reset Bump Date" action to topic admin wrench (#6246)
2018-08-09 20:51:03 -04:00
def can_update_bumped_at?
FEATURE: Allow TL4 users to reset bump date
2019-01-02 10:57:05 -05:00
is_staff? || @user.has_trust_level?(TrustLevel[4])
FEATURE: Add "Reset Bump Date" action to topic admin wrench (#6246)
2018-08-09 20:51:03 -04:00
end
FIX: only staff can banner topics
2019-04-02 03:08:15 -04:00
def can_banner_topic?(topic)
FIX: Ensure topic exists before making a banner. (#7781)
2019-06-25 06:49:29 -04:00
topic && authenticated? && !topic.private_message? && is_staff?
FIX: only staff can banner topics
2019-04-02 03:08:15 -04:00
end
FEATURE: wiki editors are allowed edit tags for wiki topics. If a wiki editor's TL is greater than 'min trust level to tag topics' site setting then they can edit the tags for any wiki topic.
2019-10-23 14:05:38 -04:00
def can_edit_tags?(topic)
return false unless can_tag_topics?
return false if topic.private_message? && !can_tag_pms?
return true if can_edit_topic?(topic)
if topic&.first_post&.wiki && (@user.trust_level >= SiteSetting.min_trust_to_edit_wiki_post.to_i)
return can_create_post?(topic)
end
false
end
BUGFIX: make the system_user an elder (TL=4) Otherwise it won't be able to create topic when the `min_trust_to_create_topic` is > 0
2014-01-21 09:21:38 -05:00
end