IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: hidden site setting to suppress unsecured categories from admins (#19098)

Browse Source 
The hidden site setting `suppress_secured_categories_from_admin` will
suppress visibility of categories without explicit access from admins
in a few key areas (category drop downs and topic lists)

It is not intended to be a security wall since admins can amend any site
setting. Instead it is feature that allows hiding the categories from the
UI.

Admins will still be able to see topics in categories without explicit
access using direct URLs or flags.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
This commit is contained in:
Sam
2022-11-18 14:37:36 +11:00
committed by GitHub
parent a6c787345c
commit 4f63bc8ed2
5 changed files with 65 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
spec/lib/guardian/topic_guardian_spec.rb
View File

@@ -6,9 +6,11 @@ RSpec.describe TopicGuardian do
fab!(:tl3_user) { Fabricate(:leader) }
fab!(:moderator) { Fabricate(:moderator) }
fab!(:category) { Fabricate(:category) }
fab!(:topic) { Fabricate(:topic, category: category) }
fab!(:private_message_topic) { Fabricate(:private_message_topic) }
fab!(:group) { Fabricate(:group) }
fab!(:private_category) { Fabricate(:private_category, group: group) }
fab!(:topic) { Fabricate(:topic, category: category) }
fab!(:private_topic) { Fabricate(:topic, category: private_category) }
fab!(:private_message_topic) { Fabricate(:private_message_topic) }
before do
Guardian.enable_topic_can_see_consistency_check
@@ -174,4 +176,30 @@ RSpec.describe TopicGuardian do
)
end
end
describe '#filter_allowed_categories' do
it 'allows admin access to categories without explicit access' do
guardian = Guardian.new(admin)
list = Topic.where(id: private_topic.id)
list = guardian.filter_allowed_categories(list)
expect(list.count).to eq(1)
end
context 'when SiteSetting.suppress_secured_categories_from_admin is true' do
before do
SiteSetting.suppress_secured_categories_from_admin = true
end
it 'does not allow admin access to categories without explicit access' do
guardian = Guardian.new(admin)
list = Topic.where(id: private_topic.id)
list = guardian.filter_allowed_categories(list)
expect(list.count).to eq(0)
end
end
end
end