Users cannot change their own username after 3 days since registering. Site setting username_change_period allows you to change the number of days.

app/assets/javascripts/discourse/templates/user/preferences.js.handlebars

@@ -4,7 +4,9 @@
     <label class="control-label">{{i18n user.username.title}}</label>
     <div class="controls">
       <span class='static'>{{username}}</span>
-      {{#linkTo "preferences.username" class="btn pad-left"}}{{i18n user.change}}{{/linkTo}}
+      {{#if can_edit_username}}
+        {{#linkTo "preferences.username" class="btn pad-left"}}{{i18n user.change}}{{/linkTo}}
+      {{/if}}
     </div>
     <div class='instructions'>
       {{{i18n user.username.short_instructions username="username"}}}

app/controllers/users_controller.rb

@@ -75,7 +75,7 @@ class UsersController < ApplicationController
     params.require(:new_username)
 
     user = fetch_user_from_params
-    guardian.ensure_can_edit!(user)
+    guardian.ensure_can_edit_username!(user)
 
     result = user.change_username(params[:new_username])
     raise Discourse::InvalidParameters.new(:new_username) unless result

app/models/site_setting.rb

@@ -240,6 +240,8 @@ class SiteSetting < ActiveRecord::Base
   client_setting(:delete_user_max_age, 7)
   setting(:delete_all_posts_max, 10)
 
+  setting(:username_change_period, 3) # days
+
 
   def self.generate_api_key!
     self.api_key = SecureRandom.hex(32)

app/serializers/user_serializer.rb

@@ -9,6 +9,7 @@ class UserSerializer < BasicUserSerializer
              :created_at,
              :website,
              :can_edit,
+             :can_edit_username,
              :stats,
              :can_send_private_message_to_user,
              :bio_excerpt,
@@ -69,6 +70,10 @@ class UserSerializer < BasicUserSerializer
     scope.can_edit?(object)
   end
 
+  def can_edit_username
+    scope.can_edit_username?(object)
+  end
+
   def stats
     UserAction.stats(object.id, scope)
   end

config/locales/server.en.yml

@@ -663,6 +663,7 @@ en:
     relative_date_duration: "Number of days after posting where post dates will be shown as relative instead of absolute. Examples: relative date: 7d, absolute date: 20 Feb"
     delete_user_max_age: "The maximum age of a user, in days, which can be deleted by an admin."
     delete_all_posts_max: "The maximum number of posts that can be deleted at once with the Delete All Posts button. If a user has more than this many posts, the posts cannot all be deleted at once and the user can't be deleted."
+    username_change_period: "The number of days after registration that someone can change their own username."
 
   notification_types:
     mentioned: "%{display_username} mentioned you in %{link}"

lib/guardian.rb

@@ -278,6 +278,10 @@ class Guardian
     !topic.archived && (is_staff? || is_my_own?(topic))
   end
 
+  def can_edit_username?(user)
+    is_staff? || (is_me?(user) && user.created_at > SiteSetting.username_change_period.days.ago)
+  end
+
   # Deleting Methods
   def can_delete_post?(post)
     # Can't delete the first post

spec/components/guardian_spec.rb

@@ -1125,5 +1125,48 @@ describe Guardian do
     end
   end
 
+  describe "can_edit_username?" do
+    it "is false without a logged in user" do
+      Guardian.new(nil).can_edit_username?(build(:user, created_at: 1.minute.ago)).should be_false
+    end
+
+    it "is false for regular users to edit another user's username" do
+      Guardian.new(build(:user)).can_edit_username?(build(:user, created_at: 1.minute.ago)).should be_false
+    end
+
+    shared_examples "staff can always change usernames" do
+      it "is true for moderators" do
+        Guardian.new(moderator).can_edit_username?(user).should be_true
+      end
+
+      it "is true for admins" do
+        Guardian.new(admin).can_edit_username?(user).should be_true
+      end
+    end
+
+    context 'for a new user' do
+      let(:target_user) { build(:user, created_at: 1.minute.ago) }
+      include_examples "staff can always change usernames"
+
+      it "is true for the user to change his own username" do
+        Guardian.new(target_user).can_edit_username?(target_user).should be_true
+      end
+    end
+
+    context 'for an old user' do
+      before do
+        SiteSetting.stubs(:username_change_period).returns(3)
+      end
+
+      let(:target_user) { build(:user, created_at: 4.days.ago) }
+
+      include_examples "staff can always change usernames"
+
+      it "is false for the user to change his own username" do
+        Guardian.new(target_user).can_edit_username?(target_user).should be_false
+      end
+    end
+  end
+
 end
 

spec/controllers/users_controller_spec.rb

@@ -521,8 +521,8 @@ describe UsersController do
         lambda { xhr :put, :username, username: user.username }.should raise_error(ActionController::ParameterMissing)
       end
 
-      it 'raises an error when you don\'t have permission to change the user' do
+      it 'raises an error when you don\'t have permission to change the username' do
-        Guardian.any_instance.expects(:can_edit?).with(user).returns(false)
+        Guardian.any_instance.expects(:can_edit_username?).with(user).returns(false)
         xhr :put, :username, username: user.username, new_username: new_username
         response.should be_forbidden
       end