Change topic timestamp results in 403 (Forbidden)

kgish · November 1, 2016, 5:00pm

I would like to allow regular users to trigger certain events (create annotation, likes, votes) on a given topic whereby the topic timestamp is updated.

I noticed that the POST /t/:topic_id/change-timestamp request returns a 403 (Forbidden) whereas if I am logged in as admin it works just fine.

What should I do in order to allow the timestamp of a topic to be updated by non-admin folks?

sam · November 2, 2016, 3:37am

That is ultra admin functionality. I am not sure I even want a site setting for “min trust level to muck with timestamps”

I guess best I can thing of is to make sure that there is a discrete function in guardian and monkey patch that in a plugin. Then add tests to your plugin to ensure nothing regresses long term.

kgish · November 2, 2016, 3:20pm

Please explain in more detail how to monkey patch the guardian functionality.

sam · November 3, 2016, 11:40am

Not sure where to start, are you a developer? How is your Ruby? Can you write Discourse plugins?

kgish · November 3, 2016, 11:29pm

I’m a hardcore developer making my own plugin using ruby, javascript and ember. So feel free to hit me as hard as you want with low-level details, I can handle it.

gdpelican · November 4, 2016, 12:39am

I’m monkey patching the Guardian class in Babble here:

class ::Guardian
  module CanSeeTopic
    def can_see_topic?(topic)
      super || some_other_condition
    end
  end
  prepend CanSeeTopic
end

Module#prepend is a little opaque, but in short it allows you to invoke the ‘original’ function of the class with super. Then you can add additional checks to the function to suit your needs.

If you don’t care about what the original functionality is, you can also simply wipe the original implementation like so:

class ::Guardian
  def can_see_topic?(topic)
    false # no topics for anyone! 😈 
  end
end

Note that this is a little bit riskier because the original implementation may change without you knowing it.

kgish · November 6, 2016, 2:25pm

Okay thanks, this is more clear now. However, I cannot find a comparable guardian method for can_change_timestamp so how do I implement that?

gdpelican · November 6, 2016, 3:06pm

Looks like it uses the can_change_post_owner? permission.

kgish · November 6, 2016, 6:14pm

So how then would I implement this ONLY when changing the timestamp and NOT otherwise?

gdpelican · November 6, 2016, 6:19pm

Sorry, I’ve hit the limit of my free tier ¯\(ツ)/¯

You’ll have to patch together the existing methods somehow so it either uses another permission that you define, or that the existing permission is smart enough to know when it’s changing a timestamp and when it’s doing other stuff.

kgish · November 6, 2016, 8:24pm

No problem, see pull request #4538

Thanks for using up your free tier helping me, hopefully now I can give back in thanks to the community.

Topic		Replies	Views
How to customize / override topic guardian through a plugin Dev	4	740	February 15, 2021
Update topic after editing time limit has passed Dev	9	1108	April 14, 2022
Allow moderators to change topic timestamp Feature	3	1049	February 23, 2019
Change Timestamp only for admin? Bug	5	1246	March 15, 2017
Guardian before and after checks api Dev	4	229	July 29, 2024

Change topic timestamp results in 403 (Forbidden)

Related Topics