From f55aa4502c498d3f131a5c10c260a9b461931594 Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Sat, 16 Jan 2016 13:56:37 +1030
Subject: [PATCH] Give GetPermission event priority when determining
 permissions

---
 .../core/src/Core/CoreServiceProvider.php      | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/framework/core/src/Core/CoreServiceProvider.php b/framework/core/src/Core/CoreServiceProvider.php
index 5d6fb2e4a..2323b2720 100644
--- a/framework/core/src/Core/CoreServiceProvider.php
+++ b/framework/core/src/Core/CoreServiceProvider.php
@@ -73,13 +73,25 @@ class CoreServiceProvider extends AbstractServiceProvider
         });
 
         $this->app->make('flarum.gate')->before(function (User $actor, $ability, $model = null) {
+            // Fire an event so that core and extension policies can hook into
+            // this permission query and explicitly grant or deny the
+            // permission.
+            $allowed = $this->app->make('events')->until(
+                new GetPermission($actor, $ability, $model ? [$model] : [])
+            );
+
+            if (! is_null($allowed)) {
+                return $allowed;
+            }
+
+            // If no policy covered this permission query, we will only grant
+            // the permission if the actor's groups have it. Otherwise, we will
+            // not allow the user to perform this action.
             if ($actor->isAdmin() || (! $model && $actor->hasPermission($ability))) {
                 return true;
             }
 
-            return $this->app->make('events')->until(
-                new GetPermission($actor, $ability, $model ? [$model] : [])
-            );
+            return false;
         });
 
         $this->registerPostTypes();