From 901e115a217f45668d3d078559fcd23e4f9c34ac Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Sat, 28 Jul 2018 14:25:51 +0100
Subject: [PATCH] Prevent trusted users from approving their own packages

---
 app/flatpages/help/ranks_permissions.md | 21 +++++++++++++++++++--
 app/models.py                           |  7 +++----
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/app/flatpages/help/ranks_permissions.md b/app/flatpages/help/ranks_permissions.md
index 5737938..9252930 100644
--- a/app/flatpages/help/ranks_permissions.md
+++ b/app/flatpages/help/ranks_permissions.md
@@ -34,6 +34,8 @@ title: Ranks and Permissions
 			<th>N</th>
 			<th>Y</th>
 			<th>N</th>
+			<th>Y</th>
+			<th>N</th>
 		</tr>
 	</thead>
 	<tbody>
@@ -58,7 +60,7 @@ title: Ranks and Permissions
 			<th></th>
 			<th></th> <!-- member -->
 			<th></th>
-			<th>✓</th> <!-- trusted member -->
+			<th></th> <!-- trusted member -->
 			<th></th>
 			<th>✓</th> <!-- editor -->
 			<th>✓</th>
@@ -101,7 +103,7 @@ title: Ranks and Permissions
 			<td>Approve Screenshot</td>
 			<th></th> <!-- new -->
 			<th></th>
-			<th>✓</th> <!-- member -->
+			<th></th> <!-- member -->
 			<th></th>
 			<th>✓</th> <!-- trusted member -->
 			<th></th>
@@ -187,6 +189,21 @@ title: Ranks and Permissions
 			<th>✓</th> <!-- admin -->
 			<th>✓</th>
 		</tr>
+		<tr>
+			<td>See Private Thread</td>
+			<th>✓</th> <!-- new -->
+			<th></th>
+			<th>✓</th> <!-- member -->
+			<th></th>
+			<th>✓</th> <!-- trusted member -->
+			<th></th>
+			<th>✓</th> <!-- editor -->
+			<th>✓</th>
+			<th>✓</th> <!-- moderator -->
+			<th>✓</th>
+			<th>✓</th> <!-- admin -->
+			<th>✓</th>
+		</tr>
 		<tr>
 			<td>Set Email</td>
 			<th>✓</th> <!-- new -->
diff --git a/app/models.py b/app/models.py
index c402d09..0452009 100644
--- a/app/models.py
+++ b/app/models.py
@@ -489,12 +489,11 @@ class Package(db.Model):
 			else:
 				return user.rank.atLeast(UserRank.EDITOR)
 
-		# Editors can change authors
-		elif perm == Permission.CHANGE_AUTHOR:
+		# Editors can change authors and approve new packages
+		elif perm == Permission.APPROVE_NEW or perm == Permission.CHANGE_AUTHOR:
 			return user.rank.atLeast(UserRank.EDITOR)
 
-		elif perm == Permission.APPROVE_NEW or perm == Permission.APPROVE_RELEASE \
-				or perm == Permission.APPROVE_SCREENSHOT:
+		elif perm == Permission.APPROVE_RELEASE or perm == Permission.APPROVE_SCREENSHOT:
 			return user.rank.atLeast(UserRank.TRUSTED_MEMBER if isOwner else UserRank.EDITOR)
 
 		# Moderators can delete packages