Revert "Simplify discussion/tag permission logic"

This reverts commit 01e776e2bec2a0d9b112ca7979a1945ec553a346.

Turns out that there was a good reason for the original logic... the case of per-tag moderators.

extensions/tags/src/Access/DiscussionPolicy.php

@@ -57,13 +57,30 @@ class DiscussionPolicy extends AbstractPolicy
      * @param Discussion $discussion
      * @return bool
      */
-    public function after(User $actor, $ability, Discussion $discussion)
+    public function before(User $actor, $ability, Discussion $discussion)
     {
         // Wrap all discussion permission checks with some logic pertaining to
-        // the discussion's tags. If the discussion has any tags that are
+        // the discussion's tags. If the discussion has a tag that has been
-        // restricted, then the user *must* have permission for all of them.
+        // restricted, and the user has this permission for that tag, then they
-        foreach ($discussion->tags as $tag) {
+        // are allowed. If the discussion only has tags that have been
-            if ($tag->is_restricted && ! $actor->hasPermission('tag' . $tag->id . '.discussion.' . $ability)) {
+        // restricted, then the user *must* have permission for at least one of
+        // them.
+        $tags = $discussion->tags;
+
+        if (count($tags)) {
+            $restricted = true;
+
+            foreach ($tags as $tag) {
+                if ($tag->is_restricted) {
+                    if ($actor->hasPermission('tag'.$tag->id.'.discussion.'.$ability)) {
+                        return true;
+                    }
+                } else {
+                    $restricted = false;
+                }
+            }
+
+            if ($restricted) {
                 return false;
             }
         }