codeninjasllc/discourse
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This repository has been archived on 2025-05-04. You can view files and clone it, but you cannot make any changes to it's state, such as pushing and creating new issues, pull requests or comments.
discourse/lib/guardian/post_guardian.rb

217 lines
6.3 KiB
Ruby
Raw Permalink Normal View History

Users who have made no more than one post can delete their own accounts from their user preferences page.
2014-02-13 11:42:35 -05:00
#mixin for all guardian methods dealing with post permissions
BUGFIX: could not see the revisions of a post in a deleted topic
2014-05-12 16:30:10 +02:00
module PostGuardian
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
# Can the user act on the post in a particular way.
# taken_actions = the list of actions the user has already taken
def post_can_act?(post, action_key, opts={})
taken = opts[:taken_actions].try(:keys).to_a
is_flag = PostActionType.is_flag?(action_key)
already_taken_this_action = taken.any? && taken.include?(PostActionType.types[action_key])
already_did_flagging = taken.any? && (taken & PostActionType.flag_types.values).any?
FEATURE: anonymous_account_duration_minutes , cycle anon accounts after N minutes from last post fixes it so anon users can not like stuff
2015-04-08 12:29:43 +10:00
result = if authenticated? && post && !@user.anonymous?
FIX: when private messages are disabled in settings, flag modal shouldn't show private message options
2014-12-19 16:47:39 -05:00
return false if action_key == :notify_moderators && !SiteSetting.enable_private_messages
FIX: don't show option to flag with notify_user to trust level 0 users. they can't send private messages.
2014-03-10 11:48:27 -04:00
# we allow flagging for trust level 1 and higher
FIX: all PMs should be flaggable
2015-01-08 16:06:43 +01:00
# always allowed for private messages
(is_flag && not(already_did_flagging) && (@user.has_trust_level?(TrustLevel[1]) || post.topic.private_message?)) ||
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
# not a flagging action, and haven't done it already
not(is_flag || already_taken_this_action) &&
FIX: use PostDestroyer when deleting/recovering a topic
2014-08-07 19:12:35 +02:00
# nothing except flagging on archived topics
FIX: In case a topic is deleted, allow us to serialize their posts
2015-02-03 14:51:29 -05:00
not(post.topic.try(:archived?)) &&
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
FIX: use PostDestroyer when deleting/recovering a topic
2014-08-07 19:12:35 +02:00
# nothing except flagging on deleted posts
not(post.trashed?) &&
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
# don't like your own stuff
not(action_key == :like && is_my_own?(post)) &&
FIX: don't show option to flag with notify_user to trust level 0 users. they can't send private messages.
2014-03-10 11:48:27 -04:00
# new users can't notify_user because they are not allowed to send private messages
FEATURE: make trust level for message sending configurable - add min_trust_to_send_messages site setting (default 1) to allow admins to configure when messages can be sent between members
2015-10-12 11:15:38 +11:00
not(action_key == :notify_user && !@user.has_trust_level?(SiteSetting.min_trust_to_send_messages)) &&
FIX: don't show option to flag with notify_user to trust level 0 users. they can't send private messages.
2014-03-10 11:48:27 -04:00
Added spec tests
2016-04-03 19:44:14 -04:00
# non-staff can't send an official warning
not(action_key == :notify_user && !is_staff? && opts[:is_warning].present? && opts[:is_warning] == 'true') &&
FIX: when private messages are disabled in settings, flag modal shouldn't show private message options
2014-12-19 16:47:39 -05:00
# can't send private messages if they're disabled globally
not(action_key == :notify_user && !SiteSetting.enable_private_messages) &&
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
# no voting more than once on single vote topics
not(action_key == :vote && opts[:voted_in_topic] && post.topic.has_meta_data_boolean?(:single_vote))
end
FEATURE: anonymous_account_duration_minutes , cycle anon accounts after N minutes from last post fixes it so anon users can not like stuff
2015-04-08 12:29:43 +10:00
!!result
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
end
FEATURE: flag dispositions normalization All flags should end up in one of the three dispositions - Agree - Disagree - Defer In the administration area, the *active* flags section displays 4 buttons - Agree (hide post + send PM) - Disagree - Defer - Delete Clicking "Delete" will open a modal that offer to - Delete Post & Defer Flags - Delete Post & Agree with Flags - Delete Spammer (if available) When the flag has a list associated, the list will now display 1 response and 1 reply and a "show more..." link if there are more in the conversation. Replying to the conversation will NOT give a disposition. Moderators must click the buttons that does that. If someone clicks one buttons, this will add a default moderator message from that moderator saying what happened. The *old* flags section now displays the proper dispositions and is super duper fast (no more N+9999 queries). FIX: the old list includes deleted topics FIX: the lists now properly display the topic states (deleted, closed, archived, hidden, PM) FIX: flagging a topic that you've already flagged the first post
2014-07-28 19:17:37 +02:00
def can_defer_flags?(post)
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
is_staff? && post
end
# Can we see who acted on a post in a particular way?
def can_see_post_actors?(topic, post_action_type_id)
FIX: use PostDestroyer when deleting/recovering a topic
2014-08-07 19:12:35 +02:00
return true if is_admin?
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
return false unless topic
type_symbol = PostActionType.types[post_action_type_id]
return false if type_symbol == :bookmark
return can_see_flags?(topic) if PostActionType.is_flag?(type_symbol)
if type_symbol == :vote
# We can see votes if the topic allows for public voting
return false if topic.has_meta_data_boolean?(:private_poll)
end
true
end
def can_delete_all_posts?(user)
FEATURE: flag dispositions normalization All flags should end up in one of the three dispositions - Agree - Disagree - Defer In the administration area, the *active* flags section displays 4 buttons - Agree (hide post + send PM) - Disagree - Defer - Delete Clicking "Delete" will open a modal that offer to - Delete Post & Defer Flags - Delete Post & Agree with Flags - Delete Spammer (if available) When the flag has a list associated, the list will now display 1 response and 1 reply and a "show more..." link if there are more in the conversation. Replying to the conversation will NOT give a disposition. Moderators must click the buttons that does that. If someone clicks one buttons, this will add a default moderator message from that moderator saying what happened. The *old* flags section now displays the proper dispositions and is super duper fast (no more N+9999 queries). FIX: the old list includes deleted topics FIX: the lists now properly display the topic states (deleted, closed, archived, hidden, PM) FIX: flagging a topic that you've already flagged the first post
2014-07-28 19:17:37 +02:00
is_staff? &&
user &&
!user.admin? &&
(user.first_post_created_at.nil? || user.first_post_created_at >= SiteSetting.delete_user_max_post_age.days.ago) &&
user.post_count <= SiteSetting.delete_all_posts_max.to_i
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
end
# Creating Method
def can_create_post?(parent)
FEATURE: blocked users can send and reply to private messages from staff
2016-01-22 12:54:18 -05:00
(!SpamRule::AutoBlock.block?(@user) || (!!parent.try(:private_message?) && parent.allowed_users.include?(@user))) && (
FEATURE: vanilla import
2014-04-18 18:42:31 +02:00
!parent ||
!parent.category ||
Category.post_create_allowed(self).where(:id => parent.category.id).count == 1
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
)
end
# Editing Method
def can_edit_post?(post)
FIX: only admin can edit faq, tos, and privacy policy
2014-07-29 10:40:02 -04:00
if Discourse.static_doc_topic_ids.include?(post.topic_id) && !is_admin?
return false
end
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 15:59:38 +10:00
return true if is_admin?
Internal renaming of elder,leader,regular,basic to numbers Changed internals so trust levels are referred to with TrustLevel[1], TrustLevel[2] etc. This gives us much better flexibility naming trust levels, these names are meant to be controlled by various communities.
2014-09-05 15:20:39 +10:00
if is_staff? || @user.has_trust_level?(TrustLevel[4])
FIX: restrict moderators from creating/editing topics in readonly categories In the past moderators had blanket access to all categories they were allowed to see. This tightens down the restriction.
2016-04-13 15:59:38 +10:00
return can_create_post?(post.topic)
Wiki Post
2014-05-13 08:53:11 -04:00
end
FIX: allow post editing but do not allow ninja edit for active flagged post
2016-03-30 23:48:42 +05:30
if post.topic.archived? || post.user_deleted || post.deleted_at
Wiki Post
2014-05-13 08:53:11 -04:00
return false
end
if post.wiki && (@user.trust_level >= SiteSetting.min_trust_to_edit_wiki_post.to_i)
return true
end
Disable editing of hidden posts within a timeframe from when the post was initially hidden.
2014-06-20 15:38:03 -04:00
if is_my_own?(post)
FIX: If a post has been hidden due to flagging, don't use the absolute edit window for edit prevention.
2014-09-16 11:20:31 -04:00
if post.hidden?
return false if post.hidden_at.present? &&
post.hidden_at >= SiteSetting.cooldown_minutes_after_hiding_posts.minutes.ago
# If it's your own post and it's hidden, you can still edit it
return true
end
Disable editing of hidden posts within a timeframe from when the post was initially hidden.
2014-06-20 15:38:03 -04:00
return !post.edit_time_limit_expired?
Wiki Post
2014-05-13 08:53:11 -04:00
end
false
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
end
# Deleting Methods
def can_delete_post?(post)
# Can't delete the first post
- FEATURE: revamped poll plugin - add User.staff scope - inject MessageBus into Ember views (so it can be used by the poll plugin) - REFACTOR: use more accurate is_first_post? method instead of post_number == 1 - FEATURE: add support for JSON-typed custom fields - FEATURE: allow plugins to add validation - FEATURE: add post_custom_fields to PostSerializer - FEATURE: allow plugins to whitelist post_custom_fields - FIX: don't bump when post did not save successfully - FEATURE: polls are supported in any post - FEATURE: allow for multiple polls in the same post - FEATURE: multiple choice polls - FEATURE: rating polls - FEATURE: new dialect allowing users to preview polls in the composer
2015-04-23 19:33:29 +02:00
return false if post.is_first_post?
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
# Can't delete after post_edit_time_limit minutes have passed
return false if !is_staff? && post.edit_time_limit_expired?
Non-staff users may not delete their posts in archived topics.
2014-01-17 17:42:12 -05:00
# Can't delete posts in archived topics unless you are staff
return false if !is_staff? && post.topic.archived?
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
# You can delete your own posts
return !post.user_deleted? if is_my_own?(post)
is_staff?
end
# Recovery Method
def can_recover_post?(post)
is_staff? || (is_my_own?(post) && post.user_deleted && !post.deleted_at)
end
def can_delete_post_action?(post_action)
# You can only undo your own actions
is_my_own?(post_action) && not(post_action.is_private_message?) &&
# Make sure they want to delete it within the window
post_action.created_at > SiteSetting.post_undo_action_window_mins.minutes.ago
end
def can_see_post?(post)
FEATURE: Whisper posts
2015-09-10 16:01:23 -04:00
return false if post.blank?
return true if is_admin?
return false unless can_see_topic?(post.topic)
FIX: properly filter whispers in user stream
2015-09-22 00:50:52 +02:00
return false unless post.user == @user || Topic.visible_post_types(@user).include?(post.post_type)
FEATURE: Whisper posts
2015-09-10 16:01:23 -04:00
return false if !is_moderator? && post.deleted_at.present?
true
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
end
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 22:06:43 +01:00
def can_view_edit_history?(post)
BUGFIX: could not see the revisions of a post in a deleted topic
2014-05-12 16:30:10 +02:00
return false unless post
BUGFIX: edit history on wiki posts should be visible
2014-06-26 19:19:35 +02:00
if !post.hidden
FEATURE: remove user option for edit history public Users can no longer opt-in for "public" edit history if site owner disables it. This feature adds cost and complexity to post rendering since user options need to be premeptively loaded for every user in the stream. It is also confusing to explain to communities with private edit history.
2016-07-16 21:30:00 +10:00
return true if post.wiki || SiteSetting.edit_history_visible_to_public
BUGFIX: edit history on wiki posts should be visible
2014-06-26 19:19:35 +02:00
end
BUGFIX: could not see the revisions of a post in a deleted topic
2014-05-12 16:30:10 +02:00
Trust level 4: add ability to edit any post and see edit history
2014-03-13 10:47:37 -04:00
authenticated? &&
Internal renaming of elder,leader,regular,basic to numbers Changed internals so trust levels are referred to with TrustLevel[1], TrustLevel[2] etc. This gives us much better flexibility naming trust levels, these names are meant to be controlled by various communities.
2014-09-05 15:20:39 +10:00
(is_staff? || @user.has_trust_level?(TrustLevel[4]) || @user.id == post.user_id) &&
BUGFIX: could not see the revisions of a post in a deleted topic
2014-05-12 16:30:10 +02:00
can_see_post?(post)
Refactor guardian as dissused in this topic https://meta.discourse.org/t/so-you-want-to-help-out-with-discourse/3823/41?u=hunter Creates a mixin for the ensure_* functions and creates seperate mixins for functions dealing with posts, categories, and topics.
2014-01-09 17:25:14 -06:00
end
def can_vote?(post, opts={})
post_can_act?(post,:vote, opts)
end
Allow changing ownwership of posts by admins
2014-03-27 18:28:14 -07:00
def can_change_post_owner?
is_admin?
end
Wiki Post
2014-05-13 08:53:11 -04:00
FEATURE: allow users to wikify their own posts based on trust level
2016-01-11 20:56:00 +05:30
def can_wiki?(post)
return false unless authenticated?
FIX: do not allow normal users to wiki edit-expired posts
2016-03-15 14:43:52 +05:30
return true if is_staff? || @user.has_trust_level?(TrustLevel[4])
if @user.has_trust_level?(SiteSetting.min_trust_to_allow_self_wiki) && is_my_own?(post)
return false if post.hidden?
return !post.edit_time_limit_expired?
end
false
Wiki Post
2014-05-13 08:53:11 -04:00
end
FEATURE: show the user's flagged/deleted posts
2014-07-16 21:04:55 +02:00
FEATURE: add new 'convert to staff message' in post wrench menu
2014-09-10 23:08:33 +02:00
def can_change_post_type?
is_staff?
end
FEATURE: add 'rebake post' in post wrench menu
2014-09-11 16:04:40 +02:00
def can_rebake?
FIX: allow TL4 user to rebake post
2015-02-03 22:49:01 +05:30
is_staff? || @user.has_trust_level?(TrustLevel[4])
FEATURE: add 'rebake post' in post wrench menu
2014-09-11 16:04:40 +02:00
end
FEATURE: show the user's flagged/deleted posts
2014-07-16 21:04:55 +02:00
def can_see_flagged_posts?
is_staff?
end
def can_see_deleted_posts?
is_staff?
end
FEATURE: staff option to unhide a post
2014-09-22 18:55:13 +02:00
FIX: users can see the raw email source of their own posts
2014-11-12 14:49:42 +01:00
def can_view_raw_email?(post)
post && (is_staff? || post.user_id == @user.id)
further optimize raw email feature
2014-10-18 00:48:29 +05:30
end
FEATURE: staff option to unhide a post
2014-09-22 18:55:13 +02:00
def can_unhide?(post)
post.try(:hidden) && is_staff?
end
Non-staff users may not delete their posts in archived topics.
2014-01-17 17:42:12 -05:00
end
Reference in a new issue Copy permalink