FIX: Only modify secured sidebar links on user promotion/demotion (#19141)

* FIX: Only modify secured sidebar links on user promotion/demotion

If a user is created populate their sidebar with the default
categories/tags that they have access to.

If a user is promoted to admin populate any new categories/tags that
they now have access to.

If an admin is demoted remove any categories/tags that they no longer
have access to.

This will only apply for "secured" categories. For example if these are
the default sitebar categories:

- general
- site feedback
- staff

and a user only has these sidebar categories:

- general

when they are promoted to admin they will only receive the "staff"
category. As this is a default category they didn't previously have
access to.

* Add spec, remove tag logic on update

Change it so that if a user becomes unstaged it used the "add" method
instead of the "update" method because it is essentially following the
on_create path.

On admin promotion/demotion remove the logic for updating sidebar tags because
we don't currently have the tag equivalent like we do for User.secure_categories.

Added the test case for when a user is promoted to admin it should
receive *only* the new sidebar categories they didn't previously have
access to. Same for admin demotion.

* Add spec for suppress_secured_categories_from_admin site setting

* Update tags as well on admin promotion/demotion

* only update tags when they are enabled

* Use new SidebarSectionLinkUpdater

We now have a SidebarSectionLinkUpdater
that was introduced in: fb2507c6ce

* remove empty line

spec/models/user_spec.rb

@@ -64,19 +64,47 @@ RSpec.describe User do
           tag.id,
           hidden_tag.id
         )
+      end
 
-        # A user promoted to admin should get secured sidebar records
+      it 'should create and remove the right sidebar section link records when user is promoted/demoted as an admin' do
+        user = Fabricate(:user)
+        another_category = Fabricate(:category)
+        another_tag = Fabricate(:tag)
+
+        # User has customized their sidebar categories and tags
+        SidebarSectionLink.where(user: user).delete_all
+        SidebarSectionLinksUpdater.update_category_section_links(user, category_ids: [another_category.id])
+        SidebarSectionLinksUpdater.update_tag_section_links(user, tag_names: [another_tag.name])
+
+        # A user promoted to admin now has any default categories/tags they didn't previously have access to
         user.update(admin: true)
-
         expect(SidebarSectionLink.where(linkable_type: 'Category', user_id: user.id).pluck(:linkable_id)).to contain_exactly(
-          category.id,
+          another_category.id,
           secured_category.id
         )
-
         expect(SidebarSectionLink.where(linkable_type: 'Tag', user_id: user.id).pluck(:linkable_id)).to contain_exactly(
-          tag.id,
+          another_tag.id,
           hidden_tag.id
         )
+
+        # User still has their customized sidebar categories and tags after demotion
+        user.update(admin: false)
+        expect(SidebarSectionLink.where(linkable_type: 'Category', user_id: user.id).pluck(:linkable_id)).to contain_exactly(
+          another_category.id
+        )
+        expect(SidebarSectionLink.where(linkable_type: 'Tag', user_id: user.id).pluck(:linkable_id)).to contain_exactly(
+          another_tag.id
+        )
+      end
+
+      it 'should not receive any new categories w/ suppress secured categories from admin enabled' do
+        SiteSetting.suppress_secured_categories_from_admin = true
+        user = Fabricate(:user)
+        SidebarSectionLink.where(user: user).delete_all # User has customized their sidebar categories
+        user.update(admin: true)
+        expect(SidebarSectionLink.where(linkable_type: 'Category', user_id: user.id).pluck(:linkable_id)).to be_empty
+        user.update(admin: false)
+        expect(SidebarSectionLink.where(linkable_type: 'Category', user_id: user.id).pluck(:linkable_id)).to be_empty
       end
 
       it 'should not create any sidebar section link records when experimental sidebar is disabled' do