user name changes: fix permission inconsistencies.

* Let moderators see name changes for deleted users on the user name change requests index and show pages. Before they could see name changes for deleted users on user profiles, but not on the user name changes index. * Let members see previous names on profile pages. Before they could see previous names on the user name changes index, but not on profile pages (ref: #4382).
2020-04-03 21:59:28 -05:00
parent 14c1dc2f0c
commit 6b1d73ddae
4 changed files with 15 additions and 13 deletions
--- a/app/models/user_name_change_request.rb
+++ b/app/models/user_name_change_request.rb
@@ -9,7 +9,7 @@ class UserNameChangeRequest < ApplicationRecord
  after_create :update_name!

  def self.visible(user)
-    if user.is_admin?
+    if user.is_moderator?
      all
    elsif user.is_member?
      where(user: User.undeleted)
--- a/app/policies/user_name_change_request_policy.rb
+++ b/app/policies/user_name_change_request_policy.rb
@@ -4,7 +4,7 @@ class UserNameChangeRequestPolicy < ApplicationPolicy
  end

  def show?
-    user.is_admin? || (user.is_member? && !record.user.is_deleted?) || (record.user == user)
+    user.is_moderator? || (user.is_member? && !record.user.is_deleted?) || (record.user == user)
  end

  def permitted_attributes
--- a/app/presenters/user_presenter.rb
+++ b/app/presenters/user_presenter.rb
@@ -146,10 +146,4 @@ class UserPresenter
      []
    end
  end
-
-  def previous_names(template)
-    user.user_name_change_requests.visible(CurrentUser.user).map do |req|
-      template.link_to req.original_name, req
-    end.join(", ").html_safe
-  end
 end
--- a/app/views/users/_statistics.html.erb
+++ b/app/views/users/_statistics.html.erb
@@ -191,11 +191,19 @@
        <td><%= presenter.feedbacks(self) %></td>
      </tr>
      
-      <% if CurrentUser.is_moderator? && presenter.previous_names(self).present? %>
-        <tr>
-          <th>Previous Names</th>
-          <td><%= presenter.previous_names(self) %></td>
-        </tr>
+      <% if policy(UserNameChangeRequest.new(user: user)).show? %>
+        <% user.user_name_change_requests.visible(CurrentUser.user).tap do |changes| %>
+          <% if changes.present? %>
+            <tr>
+              <th>Previous Names</th>
+              <td>
+                <%= changes.map do |change| %>
+                  <% link_to change.original_name, change %>
+                <% end.join(", ").html_safe %>
+              </td>
+            </tr>
+          <% end %>
+        <% end %>
      <% end %>

      <% if CurrentUser.id == user.id %>