Improve some post/discussion permission logic

- Allow users to see their own posts, even if they have been hidden by
someone else
- Don't require hiding a post to be necessarily attributed to a user
- Hide discussions with zero posts, unless the user can edit posts, or
they are the discussion author
This commit is contained in:
Toby Zerner 2015-09-04 12:22:27 +09:30
parent 9277fca0ec
commit 276334ec52
4 changed files with 61 additions and 6 deletions

View File

@ -13,7 +13,9 @@ namespace Flarum\Core\Discussions;
use Flarum\Core\Search\GambitManager; use Flarum\Core\Search\GambitManager;
use Flarum\Core\Users\User; use Flarum\Core\Users\User;
use Flarum\Events\ModelAllow; use Flarum\Events\ModelAllow;
use Flarum\Events\ScopeModelVisibility;
use Flarum\Events\RegisterDiscussionGambits; use Flarum\Events\RegisterDiscussionGambits;
use Flarum\Events\ScopeEmptyDiscussionVisibility;
use Flarum\Support\ServiceProvider; use Flarum\Support\ServiceProvider;
use Flarum\Extend; use Flarum\Extend;
use Illuminate\Contracts\Container\Container; use Illuminate\Contracts\Container\Container;
@ -53,6 +55,19 @@ class DiscussionsServiceProvider extends ServiceProvider
} }
} }
}); });
$events->listen(ScopeModelVisibility::class, function (ScopeModelVisibility $event) {
if ($event->model instanceof Discussion) {
if (! $event->actor->hasPermission('discussion.editPosts')) {
$event->query->where(function ($query) use ($event) {
$query->where('comments_count', '>', '0')
->orWhere('start_user_id', $event->actor->id);
event(new ScopeEmptyDiscussionVisibility($query, $event->actor));
});
}
}
});
} }
/** /**

View File

@ -87,7 +87,7 @@ class CommentPost extends Post
* @param User $actor * @param User $actor
* @return $this * @return $this
*/ */
public function hide(User $actor) public function hide(User $actor = null)
{ {
if ($this->number == 1) { if ($this->number == 1) {
throw new DomainException('Cannot hide the first post of a discussion'); throw new DomainException('Cannot hide the first post of a discussion');
@ -95,7 +95,7 @@ class CommentPost extends Post
if (! $this->hide_time) { if (! $this->hide_time) {
$this->hide_time = time(); $this->hide_time = time();
$this->hide_user_id = $actor->id; $this->hide_user_id = $actor ? $actor->id : null;
$this->raise(new PostWasHidden($this)); $this->raise(new PostWasHidden($this));
} }

View File

@ -44,7 +44,7 @@ class PostsServiceProvider extends ServiceProvider
$actor = $event->actor; $actor = $event->actor;
if ($action === 'view' && if ($action === 'view' &&
(! $post->hide_user_id || $post->hide_user_id == $actor->id || $post->can($actor, 'edit'))) { (! $post->hide_time || $post->user_id == $actor->id || $post->can($actor, 'edit'))) {
return true; return true;
} }
@ -55,7 +55,7 @@ class PostsServiceProvider extends ServiceProvider
if ($post->discussion->can($actor, 'editPosts')) { if ($post->discussion->can($actor, 'editPosts')) {
return true; return true;
} }
if ($post->user_id == $actor->id && (! $post->hide_user_id || $post->hide_user_id == $actor->id)) { if ($post->user_id == $actor->id && (! $post->hide_time || $post->hide_user_id == $actor->id)) {
$allowEditing = $settings->get('allow_post_editing'); $allowEditing = $settings->get('allow_post_editing');
if ($allowEditing === '-1' || if ($allowEditing === '-1' ||
@ -80,8 +80,8 @@ class PostsServiceProvider extends ServiceProvider
if (! $event->discussion->can($user, 'editPosts')) { if (! $event->discussion->can($user, 'editPosts')) {
$event->query->where(function ($query) use ($user) { $event->query->where(function ($query) use ($user) {
$query->whereNull('hide_user_id') $query->whereNull('hide_time')
->orWhere('hide_user_id', $user->id); ->orWhere('user_id', $user->id);
}); });
} }
}); });

View File

@ -0,0 +1,40 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Events;
use Flarum\Core\Users\User;
use Illuminate\Database\Eloquent\Builder;
/**
* The `ScopeEmptyDiscussionVisibility` event
*/
class ScopeEmptyDiscussionVisibility
{
/**
* @var Builder
*/
public $query;
/**
* @var User
*/
public $actor;
/**
* @param Builder $query
* @param User $actor
*/
public function __construct(Builder $query, User $actor)
{
$this->query = $query;
$this->actor = $actor;
}
}