Guardian before and after checks api

angus · May 8, 2024, 11:53am

Something I’ve come across a few times when building plugins is the need to modify the outcome of Guardian can_* checks. I’ve come across it again in the ActivityPub Plugin:

github.com

discourse/discourse-activity-pub/blob/main/extensions/discourse_activity_pub_guardian_extension.rb

# frozen_string_literal: true

# TODO (future): PR discourse/discourse to add plugin api for guardian changes.
# TODO (future): PR discourse/discourse to add a proper guardian condition for changing post owners.

module DiscourseActivityPubGuardianExtension
  def can_edit_post?(post)
    return false if post.activity_pub_remote?
    super
  end

  def can_change_post_owner?
    return false if activity_pub_enabled_topic?
    super
  end

  def activity_pub_enabled_topic?
    return false unless DiscourseActivityPub.enabled && request&.params&.[]("topic_id")
    topic = Topic.find_by(id: request.params["topic_id"].to_i)
    topic&.activity_pub_enabled

This file has been truncated. show original

I’ve just raised a draft PR that adds a new server-side plugin api method that allows you to register before and after checks to guardian can_* methods, affording the ability to change the outcome of the method. For example

add_guardian_check(:before, :edit_post) do |guardian, result, post|
  !post.activity_pub_remote?
end

github.com/discourse/discourse

Add before and after guardian checks

discourse:main ← angusmcleod:add_plugin_api_to_guardian

opened 11:46AM - 08 May 24 UTC

angusmcleod

+92 -0

Adds a system to allow plugins to more easily modify guardian `can_` method outc…omes. ### Example Currently the only way to modify guardian `can_` method outcomes is via module pre-pension, for example: ``` module DiscourseActivityPubGuardianExtension def can_edit_post?(post) return false if post.activity_pub_remote? super end def can_change_post_owner? return false if activity_pub_enabled_topic? super end def activity_pub_enabled_topic? return false unless DiscourseActivityPub.enabled && request&.params&.[]("topic_id") topic = Topic.find_by(id: request.params["topic_id"].to_i) topic&.activity_pub_enabled end end ... Guardian.prepend DiscourseActivityPubGuardianExtension ``` [See further](https://github.com/discourse/discourse-activity-pub/blob/main/extensions/discourse_activity_pub_guardian_extension.rb) This change would mean the above could be done via the plugin api like so: ``` add_guardian_check(:before, :edit_post) do |guardian, result, post| !post.activity_pub_remote? end add_guardian_check(:before, :change_post_owner) do |guardian| return true unless DiscourseActivityPub.enabled && guardian.request&.params&.[]("topic_id") topic = Topic.find_by(id: guardian.request.params["topic_id"].to_i) !topic&.activity_pub_enabled end ```

Curious to get feedback on both the approach and the execution before publishing it for review.

Topic		Replies	Views
Change topic timestamp results in 403 (Forbidden) dev	10	1218	November 6, 2016
Discourse-chat (even disabled) leads to error 500 when rebaking posts bug chat	5	740	March 14, 2022
How to customize / override topic guardian through a plugin dev	4	701	February 15, 2021
Is there a way to modify Discourse endpoints through plugin? dev	3	600	January 8, 2019
Adding a call-to-action for donations with our Patreon plugin feature	8	2002	October 11, 2019

Guardian before and after checks api

Related Topics