Change topic timestamp results in 403 (Forbidden)


(Kgish) #1

I would like to allow regular users to trigger certain events (create annotation, likes, votes) on a given topic whereby the topic timestamp is updated.

I noticed that the POST /t/:topic_id/change-timestamp request returns a 403 (Forbidden) whereas if I am logged in as admin it works just fine.

What should I do in order to allow the timestamp of a topic to be updated by non-admin folks?


(Sam Saffron) #2

That is ultra admin functionality. I am not sure I even want a site setting for “min trust level to muck with timestamps”

I guess best I can thing of is to make sure that there is a discrete function in guardian and monkey patch that in a plugin. Then add tests to your plugin to ensure nothing regresses long term.


(Kgish) #3

Please explain in more detail how to monkey patch the guardian functionality.


(Sam Saffron) #4

Not sure where to start, are you a developer? How is your Ruby? Can you write Discourse plugins?


(Kgish) #5

I’m a hardcore developer making my own plugin using ruby, javascript and ember. So feel free to hit me as hard as you want with low-level details, I can handle it.


(James Kiesel) #6

I’m monkey patching the Guardian class in Babble here:

class ::Guardian
  module CanSeeTopic
    def can_see_topic?(topic)
      super || some_other_condition
    end
  end
  prepend CanSeeTopic
end

Module#prepend is a little opaque, but in short it allows you to invoke the ‘original’ function of the class with super. Then you can add additional checks to the function to suit your needs.

If you don’t care about what the original functionality is, you can also simply wipe the original implementation like so:

class ::Guardian
  def can_see_topic?(topic)
    false # no topics for anyone! 😈 
  end
end

Note that this is a little bit riskier because the original implementation may change without you knowing it.


(Kgish) #7

Okay thanks, this is more clear now. However, I cannot find a comparable guardian method for can_change_timestamp so how do I implement that?


(James Kiesel) #8

Looks like it uses the can_change_post_owner? permission.


(Kgish) #9

So how then would I implement this ONLY when changing the timestamp and NOT otherwise?


(James Kiesel) #10

Sorry, I’ve hit the limit of my free tier ¯\(ツ)

You’ll have to patch together the existing methods somehow so it either uses another permission that you define, or that the existing permission is smart enough to know when it’s changing a timestamp and when it’s doing other stuff.


(Kgish) #11

No problem, see pull request #4538

Thanks for using up your free tier helping me, hopefully now I can give back in thanks to the community.