FEATURE: Add site setting to prevent mods from changing trust levels

app/assets/javascripts/admin/addon/templates/admin-user/index.gjs

@@ -2,7 +2,7 @@ import { fn, hash } from "@ember/helper";
 import { LinkTo } from "@ember/routing";
 import { htmlSafe } from "@ember/template";
 import RouteTemplate from "ember-route-template";
-import { and, gt } from "truth-helpers";
+import { and, gt, not } from "truth-helpers";
 import ConditionalLoadingSpinner from "discourse/components/conditional-loading-spinner";
 import DButton from "discourse/components/d-button";
 import PluginOutlet from "discourse/components/plugin-outlet";
@@ -476,10 +476,14 @@ export default RouteTemplate(
         <div class="field">{{i18n "trust_level"}}</div>
         <div class="value">
           <ComboBox
+            class="change-trust-level-dropdown"
             @content={{@controller.site.trustLevels}}
             @nameProperty="detailedName"
             @value={{@controller.model.trustLevel.id}}
             @onChange={{fn (mut @controller.model.trust_level)}}
+            @options={{hash
+              disabled=(not @controller.model.can_change_trust_level)
+            }}
           />
 
           {{#if @controller.model.dirty}}
@@ -498,6 +502,7 @@ export default RouteTemplate(
           {{/if}}
         </div>
         <div class="controls">
+          {{#if @controller.model.can_change_trust_level}}
             {{#if @controller.model.canLockTrustLevel}}
               {{#if @controller.hasLockedTrustLevel}}
                 {{icon "lock" title="admin.user.trust_level_locked_tip"}}
@@ -524,6 +529,7 @@ export default RouteTemplate(
                 {{i18n "admin.user.trust_level_3_requirements"}}
               </LinkTo>
             {{/if}}
+          {{/if}}
         </div>
       </div>
 

app/serializers/admin_user_serializer.rb

@@ -7,6 +7,7 @@ class AdminUserSerializer < AdminUserListSerializer
              :can_activate,
              :can_deactivate,
              :can_approve,
+             :can_change_trust_level,
              :ip_address,
              :registration_ip_address,
              :include_ip
@@ -33,6 +34,10 @@ class AdminUserSerializer < AdminUserListSerializer
     scope.can_deactivate?(object)
   end
 
+  def can_change_trust_level
+    scope.can_change_trust_level?(object)
+  end
+
   def ip_address
     object.ip_address.try(:to_s)
   end

config/locales/server.en.yml

@@ -1931,6 +1931,7 @@ en:
     top_page_default_timeframe: "Default top page time period for anonymous users (automatically adjusts for logged in users based on their last visit)."
     moderators_view_emails: "Allow moderators to view user email addresses."
     moderators_view_ips: "Allow moderators to view user ip addresses."
+    moderators_change_trust_levels: "Allow moderators to change user trust levels."
     prioritize_username_in_ux: "Show username first on user page, user card and posts (when disabled name is shown first)"
     enable_rich_text_paste: "Enable automatic HTML to Markdown conversion when pasting text into the composer."
     send_old_credential_reminder_days: "Remind about old credentials after days"

config/site_settings.yml

@@ -2588,6 +2588,8 @@ security:
   moderators_view_ips:
     default: true
     client: true
+  moderators_change_trust_levels:
+    default: true
   non_crawler_user_agents:
     hidden: true
     default: "trident|webkit|gecko|chrome|safari|msie|opera|goanna|discourse"

lib/guardian.rb

@@ -397,7 +397,7 @@ class Guardian
   end
 
   def can_change_trust_level?(user)
-    user && is_staff?
+    user && (is_admin? || (is_moderator? && SiteSetting.moderators_change_trust_levels))
   end
 
   # Support sites that have to approve users

spec/requests/admin/users_controller_spec.rb

@@ -1038,17 +1038,43 @@ RSpec.describe Admin::UsersController do
 
       before { sign_in(admin) }
 
+      context "when moderators_change_trust_levels setting is enabled" do
+        before { SiteSetting.moderators_change_trust_levels = true }
+
         include_examples "trust level updates possible"
       end
 
+      context "when moderators_change_trust_levels setting is disabled" do
+        before { SiteSetting.moderators_change_trust_levels = false }
+
+        include_examples "trust level updates possible"
+      end
+    end
+
     context "when logged in as a moderator" do
       let(:acting_user) { moderator }
 
       before { sign_in(moderator) }
 
+      context "when moderators_change_trust_levels setting is enabled" do
+        before { SiteSetting.moderators_change_trust_levels = true }
+
         include_examples "trust level updates possible"
       end
 
+      context "when moderators_change_trust_levels setting is disabled" do
+        before { SiteSetting.moderators_change_trust_levels = false }
+
+        it "prevents updates to trust level with a 422 response" do
+          another_user.update(trust_level: TrustLevel[1])
+          put "/admin/users/#{another_user.id}/trust_level.json", params: { level: TrustLevel[0] }
+
+          expect(response.status).to eq(422)
+          expect(another_user.reload.trust_level).to eq(TrustLevel[1])
+        end
+      end
+    end
+
     context "when logged in as a non-staff user" do
       before { sign_in(user) }
 

spec/requests/api/schemas/json/admin_user_response.json

@@ -80,6 +80,9 @@
     "can_deactivate": {
       "type": "boolean"
     },
+    "can_change_trust_level": {
+      "type": "boolean"
+    },
     "ip_address": {
       "type": "string"
     },

spec/system/admin_user_spec.rb

@@ -125,4 +125,30 @@ describe "Admin User Page", type: :system do
       end
     end
   end
+
+  context "when logged in as a moderator" do
+    fab!(:current_user, :moderator)
+
+    context "when visiting a regular user's page" do
+      fab!(:user)
+
+      before { admin_user_page.visit(user) }
+
+      context "when moderators_change_trust_levels setting is enabled" do
+        before { SiteSetting.moderators_change_trust_levels = true }
+
+        it "the dropdown to change trust level is enabled" do
+          expect(admin_user_page).to have_change_trust_level_dropdown_enabled
+        end
+      end
+
+      context "when moderators_change_trust_levels setting is disabled" do
+        before { SiteSetting.moderators_change_trust_levels = false }
+
+        it "the dropdown to change trust level is disabled" do
+          expect(admin_user_page).to have_change_trust_level_dropdown_disabled
+        end
+      end
+    end
+  end
 end

spec/system/page_objects/pages/admin_user.rb

@@ -23,6 +23,15 @@ module PageObjects
         has_no_css?(".btn-danger.silence-user")
       end
 
+      def has_change_trust_level_dropdown_enabled?
+        has_css?(".change-trust-level-dropdown") &&
+          has_no_css?(".change-trust-level-dropdown.is-disabled")
+      end
+
+      def has_change_trust_level_dropdown_disabled?
+        has_css?(".change-trust-level-dropdown.is-disabled")
+      end
+
       def click_suspend_button
         find(".btn-danger.suspend-user").click
       end