FIX: topics in private sub-categories were visible to everyone on the categories page

spec/components/category_list_spec.rb

@@ -9,8 +9,6 @@ describe CategoryList do
 
   context "security" do
     it "properly hide secure categories" do
-      user = Fabricate(:user)
-
       cat = Fabricate(:category)
       Fabricate(:topic, category: cat)
       cat.set_permissions(:admins => :full)
@@ -21,6 +19,32 @@ describe CategoryList do
       CategoryList.new(Guardian.new user).categories.count.should == 0
       CategoryList.new(Guardian.new nil).categories.count.should == 0
     end
+
+    it "doesn't show topics that you can't view" do
+      public_cat = Fabricate(:category) # public category
+      Fabricate(:topic, category: public_cat)
+
+      private_cat = Fabricate(:category) # private category
+      Fabricate(:topic, category: private_cat)
+      private_cat.set_permissions(admins: :full)
+      private_cat.save
+
+      secret_subcat = Fabricate(:category, parent_category_id: public_cat.id) # private subcategory
+      Fabricate(:topic, category: secret_subcat)
+      secret_subcat.set_permissions(admins: :full)
+      secret_subcat.save
+
+      CategoryFeaturedTopic.feature_topics
+
+      CategoryList.new(Guardian.new(admin)).categories.find { |x| x.name == public_cat.name }.displayable_topics.count.should == 2
+      CategoryList.new(Guardian.new(admin)).categories.find { |x| x.name == private_cat.name }.displayable_topics.count.should == 1
+
+      CategoryList.new(Guardian.new(user)).categories.find { |x| x.name == public_cat.name }.displayable_topics.count.should == 1
+      CategoryList.new(Guardian.new(user)).categories.find { |x| x.name == private_cat.name }.should be_nil
+
+      CategoryList.new(Guardian.new(nil)).categories.find { |x| x.name == public_cat.name }.displayable_topics.count.should == 1
+      CategoryList.new(Guardian.new(nil)).categories.find { |x| x.name == private_cat.name }.should be_nil
+    end
   end
 
   context "with a category" do