From 424f85b2b26bd87eade38d9adacdf9818f69f47e Mon Sep 17 00:00:00 2001
From: Deimos <deimos@tildes.net>
Date: Mon, 28 Jan 2019 20:32:02 -0700
Subject: [PATCH] Enable user-history viewing for logged-in users

Until now, users have only been able to view the full posting history of
themselves (with pagination only being available on your own user page).
This extends the view_history permission to all logged-in users, so
everyone logged into an account will be able to see the full history of
any user.
---
 tildes/tildes/models/user/user.py | 4 ++++
 tildes/tildes/views/user.py       | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/tildes/tildes/models/user/user.py b/tildes/tildes/models/user/user.py
index 58ecdd8..4ea7e20 100644
--- a/tildes/tildes/models/user/user.py
+++ b/tildes/tildes/models/user/user.py
@@ -142,6 +142,10 @@ class User(DatabaseModel):
         #  - everyone can view all users
         acl.append((Allow, Everyone, "view"))
 
+        # view_history:
+        #  - only allow logged-in users to look through user history
+        acl.append((Allow, Authenticated, "view_history"))
+
         # message:
         #  - deleted and banned users can't be messaged
         #  - otherwise, logged-in users can message anyone except themselves
diff --git a/tildes/tildes/views/user.py b/tildes/tildes/views/user.py
index 72042a7..b4f160e 100644
--- a/tildes/tildes/views/user.py
+++ b/tildes/tildes/views/user.py
@@ -34,6 +34,8 @@ def get_user(
     """Generate the main user history page."""
     user = request.context
 
+    # if the viewer doesn't have permission to view history, clear all the variables
+    # related to pagination (in case they set them manually in query vars)
     if not request.has_permission("view_history", user):
         post_type = None
         after = None