Simplify discussion/tag permission logic

A user now must have a permission to act for *all* tags assigned to a discussion, rather than just one of them. This is consistent with the way the permissions are worked out for visibility.

extensions/tags/src/Access/DiscussionPolicy.php

@@ -57,30 +57,13 @@ class DiscussionPolicy extends AbstractPolicy
      * @param Discussion $discussion
      * @return bool
      */
-    public function before(User $actor, $ability, Discussion $discussion)
+    public function after(User $actor, $ability, Discussion $discussion)
     {
         // Wrap all discussion permission checks with some logic pertaining to
-        // the discussion's tags. If the discussion has a tag that has been
-        // restricted, and the user has this permission for that tag, then they
-        // are allowed. If the discussion only has tags that have been
-        // restricted, then the user *must* have permission for at least one of
-        // them.
-        $tags = $discussion->tags;
-
-        if (count($tags)) {
-            $restricted = true;
-
-            foreach ($tags as $tag) {
-                if ($tag->is_restricted) {
-                    if ($actor->hasPermission('tag'.$tag->id.'.discussion.'.$ability)) {
-                        return true;
-                    }
-                } else {
-                    $restricted = false;
-                }
-            }
-
-            if ($restricted) {
+        // the discussion's tags. If the discussion has any tags that are
+        // restricted, then the user *must* have permission for all of them.
+        foreach ($discussion->tags as $tag) {
+            if ($tag->is_restricted && ! $actor->hasPermission('tag' . $tag->id . '.discussion.' . $ability)) {
                 return false;
             }
         }