Admin who created site has trust level 0?

It wouldn’t bother me too much either, but in the past week I’ve had a pair of user reports and wiled away some hours myself trying to figure out why only my admin account was having trouble.

As a plugin author, it’s very easy to write something like this:

# who should be able to receive chat messages?
User.where('trust_level > ?', SiteSetting.min_trust_to_send_personal_messages)

or as a badge query writer:

# who should get the 'Lurker' badge?
User.where('trust_level < 2').where('created_at > ?', 2.months.ago)

or, as an absent-minded admin:

# Crap, I was flooded with spammers on my new forum, I should get rid of them
User.where(trust_level: 0).update(deleted_at: 0.days.ago)

when those actually need to read

User.where('trust_level < ? AND NOT admin', 2)

each time because of an odd (but very important!) corner case.

I’d also argue that there’s probably some unexpected behaviour buried in the core app because of this, for example a couple minutes of sniffing around led me to believe that anonymous users would be restricted from seeing the admin’s user fields because of her low trust level:

# user_guardian.rb
def restrict_user_fields?(user)
  user.trust_level == TrustLevel[0] && anonymous?
end

whereas a ‘regular’ admin would have her fields visible.

Or, another example, until you naturally reach tl3, your flags don’t count when determining whether to auto-silence a person:

# auto_silence.rb
def num_tl3_flags_against_user
  PostAction.joins(:user).where('users.trust_level >= ?', 3).count
end

Or that the site admin will have links from their bio excerpt stripped until they hit TL1

# user_profile.rb
def bio_excerpt(length = 350, opts = {})
  ...
  return excerpt if user.has_trust_level?(TrustLevel[1]) && !user.suspended?
  PrettyText.strip_links(excerpt)
end

Not that these are show-stopper or even common occurrences (it’s not that hard to get to TL2 when you’re the admin), but I think it does introduce potential behaviour that’s unexpected, that conceptually the site-created admin should be granted all the trust in the world (they’re the boss!), that there’s likely more examples in core (and perhaps in other plugins) of this kind of discrepancy, and that it’s likely a simple change in the wizard to fix.

7 Likes