New site setting `trusted_users_can_edit_others`

The default is true to keep with previous discourse behavior. If disabled, high trust level users cannot edit the topics or posts of other users.
2018-02-22 20:39:24 -05:00 · 2018-02-22 20:39:24 -05:00 · 69af881f7f
parent ee9be65b2c
commit 69af881f7f
5 changed files with 40 additions and 5 deletions
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -1291,6 +1291,7 @@ en:
    tl3_requires_likes_given: "The minimum number of likes that must be given in the last (tl3 time period) days to qualify for promotion to trust level 3."
    tl3_requires_likes_received: "The minimum number of likes that must be received in the last (tl3 time period) days to qualify for promotion to trust level 3."
    tl3_links_no_follow: "Do not remove rel=nofollow from links posted by trust level 3 users."
+    trusted_users_can_edit_others: "Allow users with high trust levels to edit content from other users"

    min_trust_to_create_topic: "The minimum trust level required to create a new topic."
    allow_flagging_staff: "If enabled, users can flag posts from staff accounts."
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -971,6 +971,9 @@ trust:
  tl3_links_no_follow:
    default: false
    client: true
+  trusted_users_can_edit_others:
+    default: true
+    client: false

 security:
  force_https:
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@ -115,9 +115,13 @@ module PostGuardian
    # Must be staff to edit a locked post
    return false if post.locked? && !is_staff?

-    if is_staff? || @user.has_trust_level?(TrustLevel[4])
-      return can_create_post?(post.topic)
-    end
+    return can_create_post?(post.topic) if (
+      is_staff? ||
+      (
+        SiteSetting.trusted_users_can_edit_others? &&
+        @user.has_trust_level?(TrustLevel[4])
+      )
+    )

    if post.topic.archived? || post.user_deleted || post.deleted_at
      return false
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@ -46,10 +46,22 @@ module TopicGuardian
    return false if !can_create_topic_on_category?(topic.category)

    # TL4 users can edit archived topics, but can not edit private messages
-    return true if (topic.archived && !topic.private_message? && user.has_trust_level?(TrustLevel[4]) && can_create_post?(topic))
+    return true if (
+      SiteSetting.trusted_users_can_edit_others? &&
+      topic.archived &&
+      !topic.private_message? &&
+      user.has_trust_level?(TrustLevel[4]) &&
+      can_create_post?(topic)
+    )

    # TL3 users can not edit archived topics and private messages
-    return true if (!topic.archived && !topic.private_message? && user.has_trust_level?(TrustLevel[3]) && can_create_post?(topic))
+    return true if (
+      SiteSetting.trusted_users_can_edit_others? &&
+      !topic.archived &&
+      !topic.private_message? &&
+      user.has_trust_level?(TrustLevel[3]) &&
+      can_create_post?(topic)
+    )

    return false if topic.archived
    is_my_own?(topic) && !topic.edit_time_limit_expired?
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -1225,6 +1225,11 @@ describe Guardian do
        expect(Guardian.new(trust_level_4).can_edit?(post)).to be_truthy
      end

+      it 'returns false as a TL4 user if trusted_users_can_edit_others is true' do
+        SiteSetting.trusted_users_can_edit_others = false
+        expect(Guardian.new(trust_level_4).can_edit?(post)).to eq(false)
+      end
+
      it 'returns false when trying to edit a post with no trust' do
        SiteSetting.min_trust_to_edit_post = 2
        post.user.trust_level = 1
@ -1332,6 +1337,11 @@ describe Guardian do
          expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(true)
        end

+        it 'is false at TL3, if `trusted_users_can_edit_others` is false' do
+          SiteSetting.trusted_users_can_edit_others = false
+          expect(Guardian.new(trust_level_3).can_edit?(topic)).to eq(false)
+        end
+
        it "returns false when the category is read only" do
          topic.category.set_permissions(everyone: :readonly)
          topic.category.save
@ -1381,6 +1391,11 @@ describe Guardian do
          expect(Guardian.new(trust_level_4).can_edit?(archived_topic)).to be_truthy
        end

+        it 'is false at TL4, if `trusted_users_can_edit_others` is false' do
+          SiteSetting.trusted_users_can_edit_others = false
+          expect(Guardian.new(trust_level_4).can_edit?(archived_topic)).to eq(false)
+        end
+
        it 'returns false at trust level 3' do
          expect(Guardian.new(trust_level_3).can_edit?(archived_topic)).to be_falsey
        end