discourse/lib/guardian/topic_guardian.rb

#mixin for all guardian methods dealing with topic permisions
module TopicGuardian

  def can_remove_allowed_users?(topic)
    is_staff?
  end

  # Creating Methods
  def can_create_topic?(parent)
    is_admin? ||
    (user &&
      user.trust_level >= SiteSetting.min_trust_to_create_topic.to_i &&
      can_create_post?(parent))
  end

  def can_create_topic_on_category?(category)
    can_create_topic?(nil) &&
    (!category || Category.topic_create_allowed(self).where(:id => category.id).count == 1)
  end

  def can_create_post_on_topic?(topic)
    # No users can create posts on deleted topics
    return false if topic.trashed?

    is_staff? || (authenticated? && user.has_trust_level?(:elder)) || (not(topic.closed? || topic.archived? || topic.trashed?) && can_create_post?(topic))
  end

  # Editing Method
  def can_edit_topic?(topic)
    !topic.archived && (is_staff? || is_my_own?(topic) || user.has_trust_level?(:leader))
  end

  # Recovery Method
  def can_recover_topic?(topic)
    is_staff?
  end

  def can_delete_topic?(topic)
    !topic.trashed? &&
    is_staff? &&
    !(Category.exists?(topic_id: topic.id))
  end

  def can_reply_as_new_topic?(topic)
    authenticated? && topic && not(topic.private_message?) && @user.has_trust_level?(:basic)
  end

  def can_see_topic?(topic)
    return false unless topic
    return true if is_admin?
    return false if topic.deleted_at

    # NOTE
    # At the moment staff can see PMs, there is some talk of restricting this, however
    # we still need to allow staff to join PMs for the case of flagging ones

    # not secure, or I can see it
    (not(topic.read_restricted_category?) || can_see_category?(topic.category)) &&
    # not private, or I am allowed (or is staff)
    (not(topic.private_message?) || (authenticated? && (is_admin? || topic.all_allowed_users.where(id: @user.id).exists?)))

  end
end
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics. 2014-01-09 18:25:14 -05:00			`#mixin for all guardian methods dealing with topic permisions`
			`module TopicGuardian`

			`def can_remove_allowed_users?(topic)`
			`is_staff?`
			`end`

			`# Creating Methods`
			`def can_create_topic?(parent)`
FIX: admins should be able to create topics, even if min_trust_to_create_topic is higher than their trust level 2014-06-09 11:03:10 -04:00			`is_admin? \|\|`
			`(user &&`
			`user.trust_level >= SiteSetting.min_trust_to_create_topic.to_i &&`
			`can_create_post?(parent))`
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics. 2014-01-09 18:25:14 -05:00			`end`

			`def can_create_topic_on_category?(category)`
BUGFIX: make the system_user an elder (TL=4) Otherwise it won't be able to create topic when the `min_trust_to_create_topic` is > 0 2014-01-21 09:21:38 -05:00			`can_create_topic?(nil) &&`
			`(!category \|\| Category.topic_create_allowed(self).where(:id => category.id).count == 1)`
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics. 2014-01-09 18:25:14 -05:00			`end`

			`def can_create_post_on_topic?(topic)`
			`# No users can create posts on deleted topics`
			`return false if topic.trashed?`

FEATURE: Trust level 4 abilities: pin/unpin, close, archive, make invisible, split/merge topic 2014-03-17 14:50:28 -04:00			`is_staff? \|\| (authenticated? && user.has_trust_level?(:elder)) \|\| (not(topic.closed? \|\| topic.archived? \|\| topic.trashed?) && can_create_post?(topic))`
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics. 2014-01-09 18:25:14 -05:00			`end`

			`# Editing Method`
			`def can_edit_topic?(topic)`
Trust level 3 users can edit topic titles and change category 2014-01-16 11:59:26 -05:00			`!topic.archived && (is_staff? \|\| is_my_own?(topic) \|\| user.has_trust_level?(:leader))`
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics. 2014-01-09 18:25:14 -05:00			`end`

			`# Recovery Method`
			`def can_recover_topic?(topic)`
			`is_staff?`
			`end`

			`def can_delete_topic?(topic)`
			`!topic.trashed? &&`
			`is_staff? &&`
			`!(Category.exists?(topic_id: topic.id))`
			`end`

			`def can_reply_as_new_topic?(topic)`
			`authenticated? && topic && not(topic.private_message?) && @user.has_trust_level?(:basic)`
			`end`

			`def can_see_topic?(topic)`
BUGFIX: could not see the revisions of a post in a deleted topic 2014-05-12 10:30:10 -04:00			`return false unless topic`
FIX: moderators can't see private topics that they aren't invited to see. 2014-05-12 15:26:36 -04:00			`return true if is_admin?`
BUGFIX: could not see the revisions of a post in a deleted topic 2014-05-12 10:30:10 -04:00			`return false if topic.deleted_at`
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics. 2014-01-09 18:25:14 -05:00
BUGFIX: could not see the revisions of a post in a deleted topic 2014-05-12 10:30:10 -04:00			`# NOTE`
			`# At the moment staff can see PMs, there is some talk of restricting this, however`
			`# we still need to allow staff to join PMs for the case of flagging ones`
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics. 2014-01-09 18:25:14 -05:00
BUGFIX: could not see the revisions of a post in a deleted topic 2014-05-12 10:30:10 -04:00			`# not secure, or I can see it`
			`(not(topic.read_restricted_category?) \|\| can_see_category?(topic.category)) &&`
			`# not private, or I am allowed (or is staff)`
FIX: moderators can't see private topics that they aren't invited to see. 2014-05-12 15:26:36 -04:00			`(not(topic.private_message?) \|\| (authenticated? && (is_admin? \|\| topic.all_allowed_users.where(id: @user.id).exists?)))`
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics. 2014-01-09 18:25:14 -05:00
			`end`
BUGFIX: make the system_user an elder (TL=4) Otherwise it won't be able to create topic when the `min_trust_to_create_topic` is > 0 2014-01-21 09:21:38 -05:00			`end`