Tags: flarum/tags
Tags
[1.x] fix(tags): exclude bypassTagCounts from DiscussionPolicy catch-… …all (#4538) * fix(tags): exclude bypassTagCounts from DiscussionPolicy catch-all The catch-all `can()` method in DiscussionPolicy intercepted every discussion ability, including the `bypassTagCounts` meta-permission, and checked for a per-tag variant (e.g. `tag6.discussion.bypassTagCounts`) that never exists. This caused the permission check to always deny non-admin users, even when they had been explicitly granted `bypassTagCounts`, whenever the discussion was in a restricted tag. Fixes #4537 * Apply fixes from StyleCI --------- Co-authored-by: StyleCI Bot <bot@styleci.io>
[2.x][tags] fix: tag restricted discussion own abilities (#4379)
* fix(tags): authors can rename/hide own discussions in restricted tags
Fixes #3692. When a discussion is in a restricted tag, `can()` in tags'
DiscussionPolicy would deny ALL abilities (including rename and hide) for
users who lack the explicit tag-specific permission — even when core
DiscussionPolicy would allow the action as an "own-discussion" right.
The fix adds `rename()` and `hide()` methods to tags' DiscussionPolicy.
Because `checkAbility()` dispatches to named methods before the `can()`
catch-all, these methods short-circuit for the author case and return
`allow()` before the erroneous tag-restriction deny is ever reached.
The methods use `$actor->hasPermission('discussion.reply')` rather than
`$actor->can('reply', $discussion)` to avoid a circular denial: calling
`can('reply', $discussion)` would re-enter `can()` in the tags policy,
which would deny reply for the same restricted-tag reason.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Apply fixes from StyleCI
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: StyleCI Bot <bot@styleci.io>
PreviousNext