I would like to allow regular users to trigger certain events (create annotation, likes, votes) on a given topic whereby the topic timestamp is updated.
I noticed that the POST /t/:topic_id/change-timestamp request returns a 403 (Forbidden) whereas if I am logged in as admin it works just fine.
What should I do in order to allow the timestamp of a topic to be updated by non-admin folks?
That is ultra admin functionality. I am not sure I even want a site setting for “min trust level to muck with timestamps”
I guess best I can thing of is to make sure that there is a discrete function in guardian and monkey patch that in a plugin. Then add tests to your plugin to ensure nothing regresses long term.
I’m a hardcore developer making my own plugin using ruby, javascript and ember. So feel free to hit me as hard as you want with low-level details, I can handle it.
I’m monkey patching the Guardian class in Babble here:
class ::Guardian
module CanSeeTopic
def can_see_topic?(topic)
super || some_other_condition
end
end
prepend CanSeeTopic
end
Module#prepend is a little opaque, but in short it allows you to invoke the ‘original’ function of the class with super. Then you can add additional checks to the function to suit your needs.
If you don’t care about what the original functionality is, you can also simply wipe the original implementation like so:
class ::Guardian
def can_see_topic?(topic)
false # no topics for anyone! 😈
end
end
Note that this is a little bit riskier because the original implementation may change without you knowing it.
You’ll have to patch together the existing methods somehow so it either uses another permission that you define, or that the existing permission is smart enough to know when it’s changing a timestamp and when it’s doing other stuff.