FIX: moderators should not be able to see site setting changes in the staff action logs. Fixes #2027

app/models/user_history.rb

@@ -9,6 +9,8 @@ class UserHistory < ActiveRecord::Base
 
   scope :only_staff_actions, ->{ where("action IN (?)", UserHistory.staff_action_ids) }
 
+  before_save :set_admin_only
+
   def self.actions
     @actions ||= Enum.new( :delete_user,
                            :change_trust_level,
@@ -38,6 +40,10 @@ class UserHistory < ActiveRecord::Base
     @staff_action_ids ||= staff_actions.map { |a| actions[a] }
   end
 
+  def self.admin_only_action_ids
+    @admin_only_action_ids ||= [actions[:change_site_setting]]
+  end
+
   def self.with_filters(filters)
     query = self
     if filters[:action_name] and action_id = UserHistory.actions[filters[:action_name].to_sym]
@@ -63,6 +69,18 @@ class UserHistory < ActiveRecord::Base
     result.exists?
   end
 
+  def self.staff_action_records(viewer, opts={})
+    query = self.with_filters(opts.slice(:action_name, :acting_user, :target_user, :subject)).only_staff_actions.limit(200).order('id DESC').includes(:acting_user, :target_user)
+    query = query.where(admin_only: false) unless viewer && viewer.admin?
+    query
+  end
+
+
+  def set_admin_only
+    self.admin_only = UserHistory.admin_only_action_ids.include?(self.action)
+    self
+  end
+
   def new_value_is_json?
     [UserHistory.actions[:change_site_customization], UserHistory.actions[:delete_site_customization]].include?(action)
   end