Enable user-history viewing for logged-in users

Until now, users have only been able to view the full posting history of
themselves (with pagination only being available on your own user page).
This extends the view_history permission to all logged-in users, so
everyone logged into an account will be able to see the full history of
any user.

tildes/tildes/models/user/user.py

@@ -142,6 +142,10 @@ class User(DatabaseModel):
         #  - everyone can view all users
         acl.append((Allow, Everyone, "view"))
 
+        # view_history:
+        #  - only allow logged-in users to look through user history
+        acl.append((Allow, Authenticated, "view_history"))
+
         # message:
         #  - deleted and banned users can't be messaged
         #  - otherwise, logged-in users can message anyone except themselves

tildes/tildes/views/user.py

@@ -34,6 +34,8 @@ def get_user(
     """Generate the main user history page."""
     user = request.context
 
+    # if the viewer doesn't have permission to view history, clear all the variables
+    # related to pagination (in case they set them manually in query vars)
     if not request.has_permission("view_history", user):
         post_type = None
         after = None