Permissions Cleanup: Core

js/src/admin/AdminApplication.js

@@ -49,7 +49,7 @@ export default class AdminApplication extends Application {
     const required = [];
 
     if (permission === 'startDiscussion' || permission.indexOf('discussion.') === 0) {
-      required.push('viewDiscussions');
+      required.push('viewForum');
     }
     if (permission === 'discussion.delete') {
       required.push('discussion.hide');

js/src/admin/components/PermissionGrid.js

@@ -102,11 +102,11 @@ export default class PermissionGrid extends Component {
     const items = new ItemList();
 
     items.add(
-      'viewDiscussions',
+      'viewForum',
       {
         icon: 'fas fa-eye',
-        label: app.translator.trans('core.admin.permissions.view_discussions_label'),
-        permission: 'viewDiscussions',
+        label: app.translator.trans('core.admin.permissions.view_forum_label'),
+        permission: 'viewForum',
         allowGuest: true,
       },
       100
@@ -123,11 +123,11 @@ export default class PermissionGrid extends Component {
     );
 
     items.add(
-      'viewUserList',
+      'searchUsers',
       {
         icon: 'fas fa-users',
-        label: app.translator.trans('core.admin.permissions.view_user_list_label'),
-        permission: 'viewUserList',
+        label: app.translator.trans('core.admin.permissions.search_users_label'),
+        permission: 'searchUsers',
         allowGuest: true,
       },
       100

js/src/forum/components/Search.js

@@ -202,8 +202,8 @@ export default class Search extends Component {
   sourceItems() {
     const items = new ItemList();
 
-    if (app.forum.attribute('canViewDiscussions')) items.add('discussions', new DiscussionsSearchSource());
-    if (app.forum.attribute('canViewUserList')) items.add('users', new UsersSearchSource());
+    if (app.forum.attribute('canViewForum')) items.add('discussions', new DiscussionsSearchSource());
+    if (app.forum.attribute('canSearchUsers')) items.add('users', new UsersSearchSource());
 
     return items;
   }

migrations/2020_06_27_000000_rename_permissions.php

@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Illuminate\Database\Schema\Builder;
+
+return [
+    'up' => function (Builder $schema) {
+        $db = $schema->getConnection();
+
+        $db->table('group_permission')->where('permission', 'viewDiscussions')->update(['permission' => 'viewForum']);
+        $db->table('group_permission')->where('permission', 'viewUserList')->update(['permission' => 'searchUsers']);
+    },
+
+    'down' => function (Builder $schema) {
+        $db = $schema->getConnection();
+
+        $db->table('group_permission')->where('permission', 'viewForum')->update(['permission' => 'viewDiscussions']);
+        $db->table('group_permission')->where('permission', 'searchUsers')->update(['permission' => 'viewUserList']);
+    }
+];

src/Api/Controller/ListUsersController.php

@@ -70,7 +70,7 @@ protected function data(ServerRequestInterface $request, Document $document)
     {
         $actor = $request->getAttribute('actor');
 
-        $this->assertCan($actor, 'viewUserList');
+        $this->assertCan($actor, 'searchUsers');
 
         $query = Arr::get($this->extractFilter($request), 'q');
         $sort = $this->extractSort($request);

src/Api/Serializer/ForumSerializer.php

@@ -78,9 +78,9 @@ protected function getDefaultAttributes($model)
             'footerHtml' => $this->settings->get('custom_footer'),
             'allowSignUp' => (bool) $this->settings->get('allow_sign_up'),
             'defaultRoute'  => $this->settings->get('default_route'),
-            'canViewDiscussions' => $this->actor->can('viewDiscussions'),
+            'canViewForum' => $this->actor->can('viewForum'),
             'canStartDiscussion' => $this->actor->can('startDiscussion'),
-            'canViewUserList' => $this->actor->can('viewUserList')
+            'canSearchUsers' => $this->actor->can('searchUsers')
         ];
 
         if ($this->actor->can('administrate')) {

src/Discussion/DiscussionPolicy.php

@@ -61,7 +61,7 @@ public function can(User $actor, $ability)
      */
     public function find(User $actor, Builder $query)
     {
-        if ($actor->cannot('viewDiscussions')) {
+        if ($actor->cannot('viewForum')) {
             $query->whereRaw('FALSE');
 
             return;

src/User/UserPolicy.php

@@ -36,7 +36,7 @@ public function can(User $actor, $ability)
      */
     public function find(User $actor, Builder $query)
     {
-        if ($actor->cannot('viewUserList')) {
+        if ($actor->cannot('viewForum')) {
             if ($actor->isGuest()) {
                 $query->whereRaw('FALSE');
             } else {

tests/integration/api/authentication/WithApiKeyTest.php

@@ -53,7 +53,7 @@ public function cannot_authorize_without_key()
         );
 
         $data = json_decode($response->getBody(), true);
-        $this->assertFalse($data['data']['attributes']['canViewUserList']);
+        $this->assertFalse($data['data']['attributes']['canSearchUsers']);
     }
 
     /**
@@ -69,7 +69,7 @@ public function master_token_can_authenticate_as_anyone()
         );
 
         $data = json_decode($response->getBody(), true);
-        $this->assertTrue($data['data']['attributes']['canViewUserList']);
+        $this->assertTrue($data['data']['attributes']['canSearchUsers']);
         $this->assertArrayHasKey('adminUrl', $data['data']['attributes']);
 
         $key->refresh();
@@ -90,7 +90,7 @@ public function personal_api_token_cannot_authenticate_as_anyone()
         );
 
         $data = json_decode($response->getBody(), true);
-        $this->assertTrue($data['data']['attributes']['canViewUserList']);
+        $this->assertTrue($data['data']['attributes']['canSearchUsers']);
         $this->assertArrayNotHasKey('adminUrl', $data['data']['attributes']);
 
         $key->refresh();
@@ -111,7 +111,7 @@ public function personal_api_token_authenticates_user()
         );
 
         $data = json_decode($response->getBody(), true);
-        $this->assertTrue($data['data']['attributes']['canViewUserList']);
+        $this->assertTrue($data['data']['attributes']['canSearchUsers']);
         $this->assertArrayNotHasKey('adminUrl', $data['data']['attributes']);
 
         $key->refresh();

tests/integration/api/csrf_protection/RequireCsrfTokenTest.php

@@ -31,7 +31,7 @@ protected function setUp(): void
                 ['user_id' => 1, 'group_id' => 1],
             ],
             'group_permission' => [
-                ['permission' => 'viewUserList', 'group_id' => 3],
+                ['permission' => 'searchUsers', 'group_id' => 3],
             ],
             'api_keys' => [
                 ['user_id' => 1, 'key' => 'superadmin'],

tests/integration/api/discussions/ListTest.php

@@ -36,7 +36,7 @@ protected function setUp(): void
                 $this->guestGroup(),
             ],
             'group_permission' => [
-                ['permission' => 'viewDiscussions', 'group_id' => 2],
+                ['permission' => 'viewForum', 'group_id' => 2],
             ]
         ]);
     }

tests/integration/api/discussions/ShowTest.php

@@ -46,8 +46,8 @@ protected function setUp(): void
                 ['user_id' => 2, 'group_id' => 3],
             ],
             'group_permission' => [
-                ['permission' => 'viewDiscussions', 'group_id' => 2],
-                ['permission' => 'viewDiscussions', 'group_id' => 3],
+                ['permission' => 'viewForum', 'group_id' => 2],
+                ['permission' => 'viewForum', 'group_id' => 3],
             ]
         ]);
     }

tests/integration/api/posts/CreateTest.php

@@ -36,7 +36,7 @@ protected function setUp(): void
                 ['user_id' => 2, 'group_id' => 3],
             ],
             'group_permission' => [
-                ['permission' => 'viewDiscussions', 'group_id' => 3],
+                ['permission' => 'viewForum', 'group_id' => 3],
             ]
         ]);
     }

tests/integration/api/users/ListTest.php

@@ -55,7 +55,7 @@ public function shows_index_for_guest_when_they_have_permission()
     {
         Permission::unguarded(function () {
             Permission::create([
-                'permission' => 'viewUserList',
+                'permission' => 'searchUsers',
                 'group_id' => 2,
             ]);
         });

tests/integration/api/users/UpdateTest.php

@@ -34,7 +34,7 @@ protected function setUp(): void
                 ['user_id' => 2, 'group_id' => 3],
             ],
             'group_permission' => [
-                ['permission' => 'viewUserList', 'group_id' => 3],
+                ['permission' => 'searchUsers', 'group_id' => 3],
             ]
         ]);
     }
@@ -69,7 +69,7 @@ public function users_can_not_see_other_users_private_information()
         );
 
         // Make sure sensitive information is not made public
-        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertEquals(404, $response->getStatusCode());
         $this->assertNotContains('[email protected]', (string) $response->getBody());
     }
 }