Add viewUserList permission (#1190)

framework/core/js/admin/dist/app.js

@@ -20294,6 +20294,13 @@ System.register('flarum/components/PermissionGrid', ['flarum/Component', 'flarum
               allowGuest: true
             }, 100);
 
+            items.add('viewUserList', {
+              icon: 'users',
+              label: app.translator.trans('core.admin.permissions.view_user_list_label'),
+              permission: 'viewUserList',
+              allowGuest: true
+            }, 100);
+
             items.add('signUp', {
               icon: 'user-plus',
               label: app.translator.trans('core.admin.permissions.sign_up_label'),

framework/core/js/admin/src/components/PermissionGrid.js

@@ -91,6 +91,13 @@ export default class PermissionGrid extends Component {
       allowGuest: true
     }, 100);
 
+    items.add('viewUserList', {
+      icon: 'users',
+      label: app.translator.trans('core.admin.permissions.view_user_list_label'),
+      permission: 'viewUserList',
+      allowGuest: true
+    }, 100);
+
     items.add('signUp', {
       icon: 'user-plus',
       label: app.translator.trans('core.admin.permissions.sign_up_label'),

framework/core/src/Api/Controller/ListUsersController.php

@@ -12,6 +12,7 @@
 namespace Flarum\Api\Controller;
 
 use Flarum\Api\UrlGenerator;
+use Flarum\Core\Exception\PermissionDeniedException;
 use Flarum\Core\Search\SearchCriteria;
 use Flarum\Core\Search\User\UserSearcher;
 use Psr\Http\Message\ServerRequestInterface;
@@ -66,6 +67,11 @@ class ListUsersController extends AbstractCollectionController
     protected function data(ServerRequestInterface $request, Document $document)
     {
         $actor = $request->getAttribute('actor');
+
+        if ($actor->cannot('viewUserList')) {
+            throw new PermissionDeniedException;
+        }
+
         $query = array_get($this->extractFilter($request), 'q');
         $sort = $this->extractSort($request);
 

framework/core/src/Api/Serializer/ForumSerializer.php

@@ -80,7 +80,8 @@ class ForumSerializer extends AbstractSerializer
             'allowSignUp' => (bool) $this->settings->get('allow_sign_up'),
             'defaultRoute'  => $this->settings->get('default_route'),
             'canViewDiscussions' => $this->actor->can('viewDiscussions'),
-            'canStartDiscussion' => $this->actor->can('startDiscussion')
+            'canStartDiscussion' => $this->actor->can('startDiscussion'),
+            'canViewUserList' => $this->actor->can('viewUserList')
         ];
 
         if ($this->actor->can('administrate')) {

framework/core/src/Install/Console/InstallCommand.php

@@ -291,9 +291,10 @@ class InstallCommand extends AbstractCommand
             // Guests can view the forum
             [Group::GUEST_ID, 'viewDiscussions'],
 
-            // Members can create and reply to discussions
+            // Members can create and reply to discussions, and view the user list
             [Group::MEMBER_ID, 'startDiscussion'],
             [Group::MEMBER_ID, 'discussion.reply'],
+            [Group::MEMBER_ID, 'viewUserList'],
 
             // Moderators can edit + delete stuff
             [static::MOD_GROUP_ID, 'discussion.delete'],