Proper place to propose a permissions predicate?

mdoggydog · February 17, 2025, 4:07am

In the interest of proposing a solution for Restrict exposure of full name to certain groups, I would like to define a (server-side) permssions predicate that answers the question

Based on the current user-scope/context, is it ok to reveal (other) users’ full names?

(The scope could be set by a client request, or by some internal processing step, like generating digest email messages.)

What is the right construct for such a predicate? Where in the codebase should it live? I’m thinking that perhaps this belongs in a guardian — am I on the right track? Any opinions on which one?

I imagine this new predicate would subsume many (but not all) instances of SiteSettings.enable_names? currently in the codebase. (Hitting the Serializers that yield user.name plugs most of the data leaks, but not quite all of them.) A nice benefit of this is that it would introduce an extension point by which a future plugin could change the behavior (not currently possible, as far as I know, or I would just do that!). So, if I get this working, this would become a pull-request to the discourse core — and I would like to submit a PR that has a hope of getting accepted.

mdoggydog · February 21, 2025, 11:31pm

Here is what I have learned/deduced:

Guardian is indeed the thing that encapsulates “What is the user allowed to do?” (A Guardian instance has-a User instance, too.)
Thus, the proper place for a permissions predicate is simply as a method on Guardian (lib/guardian.rb).
- If the method is a “Can the user do Z to an Xxxx object?” then it probably belongs in one of the XxxxGuardian mixin files (lib/guardian/...).
- Otherwise, it goes into the base Guardian definition.
ApplicationController manages a guardian attribute reflecting the current request/client, and provides it to serializers as their scope, so the current Guardian is available when needed (except when it isn’t^[1])
There are places where a ready-made Guardian is not available, typically in a backend task run by the system, but if you have a handle on an “acting user” (e.g., the recipient user, when generating an email notification), you can create a appropriate guardian on the fly: Guardian.new(the_user) .

Forwarding the `scope:` down a tree of serializers: just do it, or not? Dev

Serializers can be provided with a scope: parameter intended to provide the permissions-context for the serializer. In the Discourse code, the provided scope is a Guardian, and it looks like every serializer is intended to receive a Guardian as its scope. ApplicationController (the base class of all the controllers) maintains a Guardian and it has multiple mechanisms to try to ensure that Guardian is injected as the scope: for all serializers. However, not every scenario is not covered by the…

↩︎

Topic		Replies	Views
Forwarding the `scope:` down a tree of serializers: just do it, or not? Dev	0	17	February 21, 2025
Restrict exposure of full name to certain groups Feature	0	26	January 24, 2025
Plugin to show full name only to users of the same group Dev	8	581	September 18, 2021
"Granted By" on badges not displaying the staff name Bug badges	12	534	October 28, 2023
Allow specific users to impersonate defined users Dev impersonate	9	853	May 5, 2024

Proper place to propose a permissions predicate?

Related topics