From 4841c66602b0fdc35a78d6335583fd1d8f3e1dad Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Mon, 21 May 2018 22:31:50 +0100
Subject: [PATCH] Restrict changing display name to moderator and above

---
 app/models.py                              | 3 ++-
 app/templates/users/user_profile_page.html | 6 ++++--
 app/views/users.py                         | 6 ++++--
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/app/models.py b/app/models.py
index f632b7c0..b5607ab6 100644
--- a/app/models.py
+++ b/app/models.py
@@ -65,6 +65,7 @@ class Permission(enum.Enum):
 	APPROVE_RELEASE    = "APPROVE_RELEASE"
 	APPROVE_NEW        = "APPROVE_NEW"
 	CHANGE_RELEASE_URL = "CHANGE_RELEASE_URL"
+	CHANGE_DNAME       = "CHANGE_DNAME"
 	CHANGE_RANK        = "CHANGE_RANK"
 	CHANGE_EMAIL       = "CHANGE_EMAIL"
 	EDIT_EDITREQUEST   = "EDIT_EDITREQUEST"
@@ -140,7 +141,7 @@ class User(db.Model, UserMixin):
 		# Members can edit their own packages, and editors can edit any packages
 		if perm == Permission.CHANGE_AUTHOR:
 			return user.rank.atLeast(UserRank.EDITOR)
-		elif perm == Permission.CHANGE_RANK:
+		elif perm == Permission.CHANGE_RANK or perm == Permission.CHANGE_DNAME:
 			return user.rank.atLeast(UserRank.MODERATOR)
 		elif perm == Permission.CHANGE_EMAIL:
 			return user == self or (user.rank.atLeast(UserRank.MODERATOR) and user.rank.atLeast(self.rank))
diff --git a/app/templates/users/user_profile_page.html b/app/templates/users/user_profile_page.html
index 53afd571..e4f9ff01 100644
--- a/app/templates/users/user_profile_page.html
+++ b/app/templates/users/user_profile_page.html
@@ -7,7 +7,7 @@
 {% block content %}
 
 <div class="box box_grey">
-	<h2>{{ user.username }}</h2>
+	<h2>{{ user.display_name }}</h2>
 
 	<table>
 		<tr>
@@ -73,7 +73,9 @@
 				<div class="col-sm-6 col-md-5 col-lg-4">
 					{{ form.hidden_tag() }}
 
-					{{ render_field(form.display_name, tabindex=230) }}
+					{% if user.checkPerm(current_user, "CHANGE_DNAME") %}
+						{{ render_field(form.display_name, tabindex=230) }}
+					{% endif %}
 
 					{% if user.checkPerm(current_user, "CHANGE_EMAIL") %}
 						{{ render_field(form.email, tabindex=240) }}
diff --git a/app/views/users.py b/app/views/users.py
index dda53cdd..c2460e1e 100644
--- a/app/views/users.py
+++ b/app/views/users.py
@@ -50,14 +50,16 @@ def user_profile_page(username):
 		abort(404)
 
 	form = None
-	if user == current_user or user.checkPerm(current_user, Permission.CHANGE_RANK):
+	if user.checkPerm(current_user, Permission.CHANGE_DNAME) or \
+			user.checkPerm(current_user, Permission.CHANGE_EMAIL) or \
+			user.checkPerm(current_user, Permission.CHANGE_RANK):
 		# Initialize form
 		form = UserProfileForm(formdata=request.form, obj=user)
 
 		# Process valid POST
 		if request.method=="POST" and form.validate():
 			# Copy form fields to user_profile fields
-			if user == current_user:
+			if user.checkPerm(current_user, Permission.CHANGE_DNAME):
 				user.display_name = form["display_name"].data
 
 			if user.checkPerm(current_user, Permission.CHANGE_RANK):