Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.

2013-08-12 14:54:52 -04:00 · 2013-08-12 14:54:52 -04:00 · b36c6d7b78
parent ffcf3f7e7d
commit b36c6d7b78
8 changed files with 61 additions and 4 deletions
--- a/app/assets/javascripts/discourse/templates/user/preferences.js.handlebars
+++ b/app/assets/javascripts/discourse/templates/user/preferences.js.handlebars
@ -4,7 +4,9 @@
    <label class="control-label">{{i18n user.username.title}}</label>
    <div class="controls">
      <span class='static'>{{username}}</span>
-      {{#linkTo "preferences.username" class="btn pad-left"}}{{i18n user.change}}{{/linkTo}}
+      {{#if can_edit_username}}
+        {{#linkTo "preferences.username" class="btn pad-left"}}{{i18n user.change}}{{/linkTo}}
+      {{/if}}
    </div>
    <div class='instructions'>
      {{{i18n user.username.short_instructions username="username"}}}
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -75,7 +75,7 @@ class UsersController < ApplicationController
    params.require(:new_username)

    user = fetch_user_from_params
-    guardian.ensure_can_edit!(user)
+    guardian.ensure_can_edit_username!(user)

    result = user.change_username(params[:new_username])
    raise Discourse::InvalidParameters.new(:new_username) unless result
--- a/app/models/site_setting.rb
+++ b/app/models/site_setting.rb
@ -240,6 +240,8 @@ class SiteSetting < ActiveRecord::Base
  client_setting(:delete_user_max_age, 7)
  setting(:delete_all_posts_max, 10)

+  setting(:username_change_period, 3) # days
+

  def self.generate_api_key!
    self.api_key = SecureRandom.hex(32)
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@ -9,6 +9,7 @@ class UserSerializer < BasicUserSerializer
             :created_at,
             :website,
             :can_edit,
+             :can_edit_username,
             :stats,
             :can_send_private_message_to_user,
             :bio_excerpt,
@ -69,6 +70,10 @@ class UserSerializer < BasicUserSerializer
    scope.can_edit?(object)
  end

+  def can_edit_username
+    scope.can_edit_username?(object)
+  end
+
  def stats
    UserAction.stats(object.id, scope)
  end
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -663,6 +663,7 @@ en:
    relative_date_duration: "Number of days after posting where post dates will be shown as relative instead of absolute. Examples: relative date: 7d, absolute date: 20 Feb"
    delete_user_max_age: "The maximum age of a user, in days, which can be deleted by an admin."
    delete_all_posts_max: "The maximum number of posts that can be deleted at once with the Delete All Posts button. If a user has more than this many posts, the posts cannot all be deleted at once and the user can't be deleted."
+    username_change_period: "The number of days after registration that someone can change their own username."

  notification_types:
    mentioned: "%{display_username} mentioned you in %{link}"
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -278,6 +278,10 @@ class Guardian
    !topic.archived && (is_staff? || is_my_own?(topic))
  end

+  def can_edit_username?(user)
+    is_staff? || (is_me?(user) && user.created_at > SiteSetting.username_change_period.days.ago)
+  end
+
  # Deleting Methods
  def can_delete_post?(post)
    # Can't delete the first post
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -1125,5 +1125,48 @@ describe Guardian do
    end
  end

+  describe "can_edit_username?" do
+    it "is false without a logged in user" do
+      Guardian.new(nil).can_edit_username?(build(:user, created_at: 1.minute.ago)).should be_false
+    end
+
+    it "is false for regular users to edit another user's username" do
+      Guardian.new(build(:user)).can_edit_username?(build(:user, created_at: 1.minute.ago)).should be_false
+    end
+
+    shared_examples "staff can always change usernames" do
+      it "is true for moderators" do
+        Guardian.new(moderator).can_edit_username?(user).should be_true
+      end
+
+      it "is true for admins" do
+        Guardian.new(admin).can_edit_username?(user).should be_true
+      end
+    end
+
+    context 'for a new user' do
+      let(:target_user) { build(:user, created_at: 1.minute.ago) }
+      include_examples "staff can always change usernames"
+
+      it "is true for the user to change his own username" do
+        Guardian.new(target_user).can_edit_username?(target_user).should be_true
+      end
+    end
+
+    context 'for an old user' do
+      before do
+        SiteSetting.stubs(:username_change_period).returns(3)
+      end
+
+      let(:target_user) { build(:user, created_at: 4.days.ago) }
+
+      include_examples "staff can always change usernames"
+
+      it "is false for the user to change his own username" do
+        Guardian.new(target_user).can_edit_username?(target_user).should be_false
+      end
+    end
+  end
+
 end

--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -521,8 +521,8 @@ describe UsersController do
        lambda { xhr :put, :username, username: user.username }.should raise_error(ActionController::ParameterMissing)
      end

-      it 'raises an error when you don\'t have permission to change the user' do
-        Guardian.any_instance.expects(:can_edit?).with(user).returns(false)
+      it 'raises an error when you don\'t have permission to change the username' do
+        Guardian.any_instance.expects(:can_edit_username?).with(user).returns(false)
        xhr :put, :username, username: user.username, new_username: new_username
        response.should be_forbidden
      end