https://github.com/discourse/discourse/blob/master/app/controllers/application_controller.rb#L631
The above code is called on all page requests to discourse. The problem arises that guardian
is a lazy-loaded memoized variable which at this point during login in the call is just a representation of an Anonymous user because the user login has not yet been attempted and thus failed or succeeded. When the success login response is rendered the memoized variable for guardian is still used and thus returns policies based on an anonymous user and not the policies for the user we just logged in as.
The result of a login serialises the current user to json and conditionally adds fields based on the policies returned by guardian. One of the policies is can_edit
of which an anonymous user can not edit the current users record, however the actual user logged in should be able to edit their own user account and if the guardian
variable is replaced with an instance of the currently logged in user then the json returns can_edit
to be true as it should.
I am more than happy to PR a fix but theres a couple of ways to fix this, and I wanted to know if there was a deeper less hacky way to fix this deeper in the depths of Discourse short of just adding @guardian = nil
to def log_in
Current workaround is to set the environment variable DISCOURSE_LOAD_MINI_PROFILER=false