From 6b1d73ddae7091c149e140232120072ca0664b6d Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Fri, 3 Apr 2020 21:59:28 -0500
Subject: [PATCH] user name changes: fix permission inconsistencies.

* Let moderators see name changes for deleted users on the user name
  change requests index and show pages. Before they could see name changes
  for deleted users on user profiles, but not on the user name changes index.

* Let members see previous names on profile pages. Before they could see
  previous names on the user name changes index, but not on profile pages
  (ref: #4382).
---
 app/models/user_name_change_request.rb         |  2 +-
 .../user_name_change_request_policy.rb         |  2 +-
 app/presenters/user_presenter.rb               |  6 ------
 app/views/users/_statistics.html.erb           | 18 +++++++++++++-----
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/app/models/user_name_change_request.rb b/app/models/user_name_change_request.rb
index 8db511e03..e80adcc82 100644
--- a/app/models/user_name_change_request.rb
+++ b/app/models/user_name_change_request.rb
@@ -9,7 +9,7 @@ class UserNameChangeRequest < ApplicationRecord
   after_create :update_name!
 
   def self.visible(user)
-    if user.is_admin?
+    if user.is_moderator?
       all
     elsif user.is_member?
       where(user: User.undeleted)
diff --git a/app/policies/user_name_change_request_policy.rb b/app/policies/user_name_change_request_policy.rb
index a7f38a9cf..53d223578 100644
--- a/app/policies/user_name_change_request_policy.rb
+++ b/app/policies/user_name_change_request_policy.rb
@@ -4,7 +4,7 @@ class UserNameChangeRequestPolicy < ApplicationPolicy
   end
 
   def show?
-    user.is_admin? || (user.is_member? && !record.user.is_deleted?) || (record.user == user)
+    user.is_moderator? || (user.is_member? && !record.user.is_deleted?) || (record.user == user)
   end
 
   def permitted_attributes
diff --git a/app/presenters/user_presenter.rb b/app/presenters/user_presenter.rb
index 02101ceba..650aa5287 100644
--- a/app/presenters/user_presenter.rb
+++ b/app/presenters/user_presenter.rb
@@ -146,10 +146,4 @@ class UserPresenter
       []
     end
   end
-
-  def previous_names(template)
-    user.user_name_change_requests.visible(CurrentUser.user).map do |req|
-      template.link_to req.original_name, req
-    end.join(", ").html_safe
-  end
 end
diff --git a/app/views/users/_statistics.html.erb b/app/views/users/_statistics.html.erb
index 563e5a57c..272d5ec4e 100644
--- a/app/views/users/_statistics.html.erb
+++ b/app/views/users/_statistics.html.erb
@@ -191,11 +191,19 @@
         <td><%= presenter.feedbacks(self) %></td>
       </tr>
       
-      <% if CurrentUser.is_moderator? && presenter.previous_names(self).present? %>
-        <tr>
-          <th>Previous Names</th>
-          <td><%= presenter.previous_names(self) %></td>
-        </tr>
+      <% if policy(UserNameChangeRequest.new(user: user)).show? %>
+        <% user.user_name_change_requests.visible(CurrentUser.user).tap do |changes| %>
+          <% if changes.present? %>
+            <tr>
+              <th>Previous Names</th>
+              <td>
+                <%= changes.map do |change| %>
+                  <% link_to change.original_name, change %>
+                <% end.join(", ").html_safe %>
+              </td>
+            </tr>
+          <% end %>
+        <% end %>
       <% end %>
 
       <% if CurrentUser.id == user.id %>