FEATURE - Moderators can create and manage groups (#10432)

Enabling the moderators_manage_categories_and_groups site setting will allow moderator users to create/manage groups. * show New Group form to moderators * Allow moderators to update groups and read logs, where appropriate * Rename site setting from create -> manage * improved tests * Migration should rename old log entries * Log group changes, even if those changes mean you can no longer see the group * Slight reshuffle * RouteTo /g if they no longer have permissions to view group
2025-05-22 22:43:33 +08:00 · 2020-08-19 10:41:40 -04:00
parent 3640c00b03
commit aa1fc01307
29 changed files with 241 additions and 32 deletions
--- a/app/assets/javascripts/discourse/app/components/group-manage-save-button.js
+++ b/app/assets/javascripts/discourse/app/components/group-manage-save-button.js
@ -3,6 +3,7 @@ import discourseComputed from "discourse-common/utils/decorators";
 import Component from "@ember/component";
 import { popupAjaxError } from "discourse/lib/ajax-error";
 import { popupAutomaticMembershipAlert } from "discourse/controllers/groups-new";
 import DiscourseURL from "discourse/lib/url";
 export default Component.extend({
  saving: null,
@ -24,7 +25,11 @@ export default Component.extend({
      return group
        .save()
-        .then(() => {
+        .then(data => {
          if (data.route_to) {
            DiscourseURL.routeTo(data.route_to);
          }
          this.set("saved", true);
        })
        .catch(popupAjaxError)
--- a/app/assets/javascripts/discourse/app/components/groups-form-interaction-fields.js
+++ b/app/assets/javascripts/discourse/app/components/groups-form-interaction-fields.js
@ -70,5 +70,14 @@ export default Component.extend({
  )
  showEmailSettings(emailIn, automatic, isAdmin) {
    return emailIn && isAdmin && !automatic;
  },
  @discourseComputed(
    "model.isCreated",
    "model.can_admin_group",
    "currentUser.can_create_group"
  )
  canAdminGroup(isCreated, canAdmin, canCreate) {
    return (!isCreated && canCreate) || (isCreated && canAdmin);
  }
 });
--- a/app/assets/javascripts/discourse/app/controllers/group.js
+++ b/app/assets/javascripts/discourse/app/controllers/group.js
@ -128,7 +128,7 @@ export default Controller.extend({
    return (
      this.currentUser &&
      (this.currentUser.canManageGroup(model) ||
-        (this.currentUser.admin && automatic))
+        (model.can_admin_group && automatic))
    );
  },
--- a/app/assets/javascripts/discourse/app/models/user.js
+++ b/app/assets/javascripts/discourse/app/models/user.js
@ -833,7 +833,7 @@ const User = RestModel.extend({
  canManageGroup(group) {
    return group.get("automatic")
      ? false
-      : this.admin || group.get("is_group_owner");
+      : group.get("can_admin_group") || group.get("is_group_owner");
  },
  @discourseComputed("groups.@each.title", "badges.[]")
--- a/app/assets/javascripts/discourse/app/routes/group-manage.js
+++ b/app/assets/javascripts/discourse/app/routes/group-manage.js
@ -15,7 +15,7 @@ export default DiscourseRoute.extend({
  afterModel(group) {
    if (
      !this.currentUser ||
-      (!(this.currentUser.admin && group.get("automatic")) &&
+      (!(this.modelFor("group").can_admin_group && group.get("automatic")) &&
        !this.currentUser.canManageGroup(group))
    ) {
      this.transitionTo("group.members", group);
--- a/app/assets/javascripts/discourse/app/routes/groups-new.js
+++ b/app/assets/javascripts/discourse/app/routes/groups-new.js
@ -18,7 +18,7 @@ export default DiscourseRoute.extend({
  },
  afterModel() {
-    if (!(this.currentUser && this.currentUser.admin)) {
+    if (!this.get("currentUser.can_create_group")) {
      this.transitionTo("groups");
    }
  }
--- a/app/assets/javascripts/discourse/app/templates/components/groups-form-interaction-fields.hbs
+++ b/app/assets/javascripts/discourse/app/templates/components/groups-form-interaction-fields.hbs
@ -1,4 +1,4 @@
-{{#if currentUser.admin}}
+{{#if canAdminGroup}}
  <div class="control-group">
    <label class="control-label">{{i18n "admin.groups.manage.interaction.visibility"}}</label>
    <label for="visiblity">{{i18n "admin.groups.manage.interaction.visibility_levels.title"}}</label>
@ -62,7 +62,7 @@
  }}
 </div>
-{{#if currentUser.admin}}
+{{#if canAdminGroup}}
  <div class="control-group">
    <label>
      {{input type="checkbox"
--- a/app/assets/javascripts/discourse/app/templates/components/groups-form-membership-fields.hbs
+++ b/app/assets/javascripts/discourse/app/templates/components/groups-form-membership-fields.hbs
@ -1,4 +1,4 @@
-{{#if currentUser.admin}}
+{{#if model.can_admin_group}}
  <div class="control-group">
    <label class="control-label">{{i18n "admin.groups.manage.membership.automatic"}}</label>
--- a/app/assets/javascripts/discourse/app/templates/components/groups-form-profile-fields.hbs
+++ b/app/assets/javascripts/discourse/app/templates/components/groups-form-profile-fields.hbs
@ -1,5 +1,5 @@
 {{#if canEdit}}
-  {{#if this.currentUser.admin}}
+  {{#if this.currentUser.can_create_group}}
    <div class="control-group">
      <label class="control-label" for="name">{{i18n "groups.name"}}</label>
@ -20,7 +20,7 @@
        value=model.full_name}}
  </div>
-  {{#if this.currentUser.admin}}
+  {{#if this.currentUser.can_create_group}}
    <div class="control-group">
      <label class="control-label" for="title">
        {{i18n "admin.groups.default_title"}}
--- a/app/assets/javascripts/discourse/app/templates/groups/index.hbs
+++ b/app/assets/javascripts/discourse/app/templates/groups/index.hbs
@ -1,6 +1,6 @@
 {{#d-section pageClass="groups"}}
  <div class="groups-header">
-    {{#if currentUser.admin}}
+    {{#if currentUser.can_create_group}}
      {{d-button
        action=(action "new")
        class="btn-default groups-header-new pull-right"
--- a/app/controllers/admin/groups_controller.rb
+++ b/app/controllers/admin/groups_controller.rb
@ -37,6 +37,8 @@ class Admin::GroupsController < Admin::AdminController
  end
  def create
    guardian.ensure_can_create_group!
    attributes = group_params.to_h.except(:owner_usernames, :usernames)
    group = Group.new(attributes)
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@ -140,11 +140,17 @@ class GroupsController < ApplicationController
  def update
    group = Group.find(params[:id])
-    guardian.ensure_can_edit!(group) unless current_user.admin
+    guardian.ensure_can_edit!(group) unless guardian.can_admin_group?(group)
    if group.update(group_params(automatic: group.automatic))
-      GroupActionLogger.new(current_user, group).log_change_group_settings
+      GroupActionLogger.new(current_user, group, skip_guardian: true).log_change_group_settings
      if guardian.can_see?(group)
        render json: success_json
      else
        # They can no longer see the group after changing permissions
        render json: { route_to: '/g' }
      end
    else
      render_json_error(group)
    end
@ -511,7 +517,7 @@ class GroupsController < ApplicationController
  def histories
    group = find_group(:group_id)
-    guardian.ensure_can_edit!(group) unless current_user.admin
+    guardian.ensure_can_edit!(group) unless guardian.can_admin_group?(group)
    page_size = 25
    offset = (params[:offset] && params[:offset].to_i) || 0
@ -582,7 +588,7 @@ class GroupsController < ApplicationController
          membership_request_template
        }
-        if current_user.admin
+        if current_user.staff?
          default_params.push(*[
            :incoming_email,
            :smtp_server,
--- a/app/serializers/basic_group_serializer.rb
+++ b/app/serializers/basic_group_serializer.rb
@ -31,6 +31,7 @@ class BasicGroupSerializer < ApplicationSerializer
             :is_group_owner,
             :members_visibility_level,
             :can_see_members,
             :can_admin_group,
             :publish_read_state
  def self.admin_attributes(*attrs)
@ -115,6 +116,14 @@ class BasicGroupSerializer < ApplicationSerializer
    owner_group_ids.present?
  end
  def can_admin_group
    scope.can_admin_group?(object)
  end
  def include_can_admin_group?
    scope.can_admin_group?(object)
  end
  def is_group_owner
    owner_group_ids.include?(object.id)
  end
--- a/app/serializers/current_user_serializer.rb
+++ b/app/serializers/current_user_serializer.rb
@ -38,6 +38,7 @@ class CurrentUserSerializer < BasicUserSerializer
             :seen_notification_id,
             :primary_group_id,
             :can_create_topic,
             :can_create_group,
             :link_posting_access,
             :external_id,
             :top_category_ids,
@ -62,6 +63,14 @@ class CurrentUserSerializer < BasicUserSerializer
    scope.can_create_topic?(nil)
  end
  def can_create_group
    scope.can_create_group?
  end
  def include_can_create_group?
    scope.can_create_group?
  end
  def read_faq
    object.user_stat.read_faq?
  end
--- a/app/services/group_action_logger.rb
+++ b/app/services/group_action_logger.rb
@ -2,9 +2,10 @@
 class GroupActionLogger
-  def initialize(acting_user, group)
+  def initialize(acting_user, group, opts = {})
    @acting_user = acting_user
    @group = group
    @opts = opts
  end
  def log_make_user_group_owner(target_user)
@ -44,7 +45,7 @@ class GroupActionLogger
  end
  def log_change_group_settings
-    can_edit?
+    @opts[:skip_guardian] || can_edit?
    @group.previous_changes.except(*excluded_attributes).each do |attribute_name, value|
      next if value[0].blank? && value[1].blank?
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -1547,7 +1547,7 @@ en:
    ga_universal_auto_link_domains: "Enable Google Universal Analytics (analytics.js) cross-domain tracking. Outgoing links to these domains will have the client id added to them. See <a href='https://support.google.com/analytics/answer/1034342?hl=en' target='_blank'>Google's Cross-Domain Tracking guide.</a>"
    gtm_container_id: "Google Tag Manager container id. eg: GTM-ABCDEF. <br/>Note: Third-party scripts loaded by GTM may need to be allowlisted in 'content security policy script src'."
    enable_escaped_fragments: "Fall back to Google's Ajax-Crawling API if no webcrawler is detected. See <a href='https://developers.google.com/webmasters/ajax-crawling/docs/learn-more' target='_blank'>https://developers.google.com/webmasters/ajax-crawling/docs/learn-more</a>"
-    moderators_create_categories: "Allow moderators to create new categories"
+    moderators_manage_categories_and_groups: "Allow moderators to manage categories and groups"
    cors_origins: "Allowed origins for cross-origin requests (CORS). Each origin must include http:// or https://. The DISCOURSE_ENABLE_CORS env variable must be set to true to enable CORS."
    use_admin_ip_allowlist: "Admins can only log in if they are at an IP address defined in the Screened IPs list (Admin > Logs > Screened Ips)."
    blocked_ip_blocks: "A list of private IP blocks that should never be crawled by Discourse"
--- a/config/routes.rb
+++ b/config/routes.rb
@ -92,7 +92,8 @@ Discourse::Application.routes.draw do
      get "reports/bulk" => "reports#bulk"
      get "reports/:type" => "reports#show"
-      resources :groups, constraints: AdminConstraint.new do
+      resources :groups, only: [:create]
      resources :groups, except: [:create], constraints: AdminConstraint.new do
        collection do
          get 'bulk'
          get 'bulk-complete' => 'groups#bulk'
@ -560,7 +561,7 @@ Discourse::Application.routes.draw do
        collection do
          get "check-name" => 'groups#check_name'
-          get 'custom/new' => 'groups#new', constraints: AdminConstraint.new
+          get 'custom/new' => 'groups#new', constraints: StaffConstraint.new
          get "search" => "groups#search"
        end
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -1452,7 +1452,7 @@ security:
    regex: "^(Lax|Strict|Disabled|None)$"
  enable_escaped_fragments: true
  allow_index_in_robots_txt: true
-  moderators_create_categories: false
+  moderators_manage_categories_and_groups: false
  moderators_view_emails:
    client: true
    default: false
--- a/db/migrate/20200810220841_rename_moderators_create_categories_setting.rb
+++ b/db/migrate/20200810220841_rename_moderators_create_categories_setting.rb
@ -0,0 +1,13 @@
 # frozen_string_literal: true
 class RenameModeratorsCreateCategoriesSetting < ActiveRecord::Migration[6.0]
  def up
    execute "UPDATE site_settings SET name = 'moderators_manage_categories_and_groups' WHERE name = 'moderators_create_categories'"
    execute "UPDATE user_histories SET subject = 'moderators_manage_categories_and_groups' WHERE subject = 'moderators_create_categories'"
  end
  def down
    execute "UPDATE site_settings SET name = 'moderators_create_categories' WHERE name = 'moderators_manage_categories_and_groups'"
    execute "UPDATE user_histories SET subject = 'moderators_create_categories' WHERE subject = 'moderators_manage_categories_and_groups'"
  end
 end
--- a/lib/guardian/category_guardian.rb
+++ b/lib/guardian/category_guardian.rb
@ -7,7 +7,7 @@ module CategoryGuardian
  def can_create_category?(parent = nil)
    is_admin? ||
    (
-      SiteSetting.moderators_create_categories &&
+      SiteSetting.moderators_manage_categories_and_groups &&
      is_moderator?
    )
  end
@ -16,7 +16,7 @@ module CategoryGuardian
  def can_edit_category?(category)
    is_admin? ||
    (
-      SiteSetting.moderators_create_categories &&
+      SiteSetting.moderators_manage_categories_and_groups &&
      is_moderator? &&
      can_see_category?(category)
    )
--- a/lib/guardian/group_guardian.rb
+++ b/lib/guardian/group_guardian.rb
@ -3,6 +3,15 @@
 #mixin for all guardian methods dealing with group permissions
 module GroupGuardian
  # Creating Method
  def can_create_group?
    is_admin? ||
    (
      SiteSetting.moderators_manage_categories_and_groups &&
      is_moderator?
    )
  end
  # Edit authority for groups means membership changes only.
  # Automatic groups are not represented in the GROUP_USERS
  # table and thus do not allow membership changes.
@ -11,7 +20,17 @@ module GroupGuardian
  end
  def can_log_group_changes?(group)
-    (is_admin? || group.users.where('group_users.owner').include?(user))
+    can_admin_group?(group) || group.users.where('group_users.owner').include?(user)
  end
  def can_admin_group?(group)
    is_admin? ||
    (
      SiteSetting.moderators_manage_categories_and_groups &&
      is_moderator? &&
      can_see?(group) &&
      group.id != Group::AUTO_GROUPS[:admins]
    )
  end
  def can_see_group_messages?(group)
--- a/lib/site_settings/deprecated_settings.rb
+++ b/lib/site_settings/deprecated_settings.rb
@ -9,7 +9,8 @@ module SiteSettings::DeprecatedSettings
    ['disable_edit_notifications', 'disable_system_edit_notifications', true, '2.4'],
    ['enable_category_group_review', 'enable_category_group_moderation', true, '2.7'],
    ['newuser_max_images', 'newuser_max_embedded_media', true, '2.7'],
-    ['min_trust_to_post_images', 'min_trust_to_post_embedded_media', true, '2.7']
+    ['min_trust_to_post_images', 'min_trust_to_post_embedded_media', true, '2.7'],
    ['moderators_create_categories', 'moderators_manage_categories_and_groups', '2.7']
  ]
  def setup_deprecated_methods
--- a/spec/requests/groups_controller_spec.rb
+++ b/spec/requests/groups_controller_spec.rb
@ -829,6 +829,99 @@ describe GroupsController do
      end
    end
    context "when user is a site moderator" do
      before do
        SiteSetting.moderators_manage_categories_and_groups = true
        sign_in(moderator)
      end
      it 'should not be able to update the group if the SiteSetting is false' do
        SiteSetting.moderators_manage_categories_and_groups = false
        put "/groups/#{group.id}.json", params: { group: { name: 'testing' } }
        expect(response.status).to eq(403)
      end
      it 'should not be able to update a group it cannot see' do
        group.update!(visibility_level: 2)
        put "/groups/#{group.id}.json", params: { group: { name: 'testing' } }
        expect(response.status).to eq(403)
      end
      it 'should be able to update the group' do
        put "/groups/#{group.id}.json", params: {
          group: {
            flair_color: 'BBB',
            name: 'testing',
            incoming_email: 'test@mail.org',
            primary_group: true,
            automatic_membership_email_domains: 'test.org',
            grant_trust_level: 2,
            visibility_level: 1,
            members_visibility_level: 3,
            tracking_category_ids: [category.id],
            tracking_tags: [tag.name]
          }
        }
        expect(response.status).to eq(200)
        group.reload
        expect(group.flair_color).to eq('BBB')
        expect(group.name).to eq('testing')
        expect(group.incoming_email).to eq("test@mail.org")
        expect(group.primary_group).to eq(true)
        expect(group.visibility_level).to eq(1)
        expect(group.members_visibility_level).to eq(3)
        expect(group.automatic_membership_email_domains).to eq('test.org')
        expect(group.grant_trust_level).to eq(2)
        expect(group.group_category_notification_defaults.first&.category).to eq(category)
        expect(group.group_tag_notification_defaults.first&.tag).to eq(tag)
        expect(Jobs::AutomaticGroupMembership.jobs.first["args"].first["group_id"])
          .to eq(group.id)
      end
      it "should be able to update an automatic group" do
        group = Group.find(Group::AUTO_GROUPS[:trust_level_4])
        group.update!(
          mentionable_level: 2,
          messageable_level: 2,
          default_notification_level: 2
        )
        put "/groups/#{group.id}.json", params: {
          group: {
            mentionable_level: 1,
            messageable_level: 1,
            default_notification_level: 1
          }
        }
        expect(response.status).to eq(200)
        group.reload
        expect(group.flair_color).to eq(nil)
        expect(group.name).to eq('trust_level_4')
        expect(group.mentionable_level).to eq(1)
        expect(group.messageable_level).to eq(1)
        expect(group.default_notification_level).to eq(1)
      end
      it 'triggers a extensibility event' do
        event = DiscourseEvent.track_events {
          put "/groups/#{group.id}.json", params: { group: { flair_color: 'BBB' } }
        }.last
        expect(event[:event_name]).to eq(:group_updated)
        expect(event[:params].first).to eq(group)
      end
    end
    context "when user is not a group owner or admin" do
      it 'should not be able to update the group' do
        sign_in(user)
--- a/test/javascripts/acceptance/group-manage-interaction-test.js
+++ b/test/javascripts/acceptance/group-manage-interaction-test.js
@ -8,7 +8,13 @@ acceptance("Managing Group Interaction Settings", {
 });
 QUnit.test("As an admin", async assert => {
-  await visit("/g/discourse/manage/interaction");
+  updateCurrentUser({
    moderator: false,
    admin: true,
    can_create_group: true
  });
  await visit("/g/alternative-group/manage/interaction");
  assert.equal(
    find(".groups-form-visibility-level").length,
@ -42,13 +48,18 @@ QUnit.test("As an admin", async assert => {
 });
 QUnit.test("As a group owner", async assert => {
-  updateCurrentUser({ moderator: false, admin: false });
+  updateCurrentUser({
    moderator: false,
    admin: false,
    can_create_group: false
  });
  await visit("/g/discourse/manage/interaction");
  assert.equal(
    find(".groups-form-visibility-level").length,
    0,
-    "it should display visibility level selector"
+    "it should not display visibility level selector"
  );
  assert.equal(
--- a/test/javascripts/acceptance/group-manage-membership-test.js
+++ b/test/javascripts/acceptance/group-manage-membership-test.js
@ -6,7 +6,9 @@ acceptance("Managing Group Membership", {
 });
 QUnit.test("As an admin", async assert => {
-  await visit("/g/discourse/manage/membership");
+  updateCurrentUser({ can_create_group: true });
  await visit("/g/alternative-group/manage/membership");
  assert.ok(
    find('label[for="automatic_membership"]').length === 1,
--- a/test/javascripts/acceptance/group-manage-profile-test.js
+++ b/test/javascripts/acceptance/group-manage-profile-test.js
@ -34,7 +34,11 @@ QUnit.test("As an admin", async assert => {
 });
 QUnit.test("As a group owner", async assert => {
-  updateCurrentUser({ moderator: false, admin: false });
+  updateCurrentUser({
    moderator: false,
    admin: false,
    can_create_group: false
  });
  await visit("/g/discourse/manage/profile");
--- a/test/javascripts/fixtures/group-fixtures.js
+++ b/test/javascripts/fixtures/group-fixtures.js
@ -1273,5 +1273,27 @@ export default {
          "/user_avatar/meta.discourse.org/codinghorror/{size}/5297.png"
      }
    }
-  ]
+  ],
  "/groups/alternative-group.json": {
    group: {
      id: 57,
      automatic: false,
      name: "alternative-group",
      full_name: "Moderatable Table",
      user_count: 8,
      alias_level: 99,
      visible: true,
      public_admission: true,
      public_exit: false,
      flair_url: "fa-adjust",
      is_group_owner: true,
      mentionable: true,
      messageable: true,
      can_see_members: true,
      can_admin_group: true,
    },
    extras: {
      visible_group_names: ["alternative-group"]
    }
  }
 };
--- a/test/javascripts/fixtures/session-fixtures.js
+++ b/test/javascripts/fixtures/session-fixtures.js
@ -14,6 +14,7 @@ export default {
      site_flagged_posts_count: 1,
      moderator: true,
      staff: true,
      can_create_group: true,
      title: "co-founder",
      reply_count: 859,
      topic_count: 36,
--- a/test/javascripts/models/user-test.js
+++ b/test/javascripts/models/user-test.js
@ -52,6 +52,7 @@ QUnit.test("canMangeGroup", assert => {
  );
  group.set("automatic", false);
  group.setProperties({ can_admin_group: true });
  assert.equal(
    user.canManageGroup(group),