This repository was archived by the owner on Jul 22, 2025. It is now read-only.
FIX: Don't allow TL4 users to unconditionally accept solutions #305
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
s3lase
approved these changes
Aug 9, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A while ago the
accept_all_solutions_allowed_groupssetting was introduced to replace theaccept_all_solutions_trust_levelsetting and to make the plugin more flexible by allowing admins to choose groups that are allowed to accept solutions instead of trust levels.The new group-based setting includes the TL4 group by default. However, removing the TL4 group from the setting doesn't actually remove TL4 users permission to accept solution.
The reason for this bug is that the
can_accept_answer?guardian method callscan_perform_action_available_to_group_moderators?which always allows TL4 users to perform category moderator actions:https://github.com/discourse/discourse/blob/56524f4bdf9d45eddf7967ccead169ec6dd6cbb8/lib/guardian/topic_guardian.rb#L342-L348
This PR fixes the bug by checking if the user is a moderator on the topic's category (by calling the
is_category_group_moderator?guardian method) instead of checking if the user can perform category moderator actions. In our case,is_category_group_moderator?is equivalent tocan_perform_action_available_to_group_moderators?except for the TL4 check which is what we need.Internal topic: t/134675.