mirror of
https://github.com/discourse/discourse.git
synced 2024-11-24 18:00:39 -06:00
SECURITY: prevent topic list filtering by hidden tags for unathorized users
This fixes an issue where unathorized users were able to filter topics by tags that are hidden from them.
This commit is contained in:
parent
d7164d57ec
commit
92ac6be82a
@ -1281,7 +1281,9 @@ class TopicQuery
|
||||
|
||||
if tags_arg && tags_arg.size > 0
|
||||
tags_arg = tags_arg.split if String === tags_arg
|
||||
tags_query = tags_arg[0].is_a?(String) ? Tag.where_name(tags_arg) : Tag.where(id: tags_arg)
|
||||
tags_query = DiscourseTagging.visible_tags(@guardian)
|
||||
tags_query =
|
||||
tags_arg[0].is_a?(String) ? tags_query.where_name(tags_arg) : tags_query.where(id: tags_arg)
|
||||
tags = tags_query.select(:id, :target_tag_id).map { |t| t.target_tag_id || t.id }.uniq
|
||||
|
||||
if ActiveModel::Type::Boolean.new.cast(@options[:match_all_tags])
|
||||
|
@ -573,6 +573,46 @@ RSpec.describe TopicQuery do
|
||||
tagged_topic3,
|
||||
)
|
||||
end
|
||||
|
||||
context "with hidden tags" do
|
||||
let(:hidden_tag) { Fabricate(:tag, name: "hidden") }
|
||||
let!(:staff_tag_group) do
|
||||
Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [hidden_tag.name])
|
||||
end
|
||||
let!(:topic_with_hidden_tag) { Fabricate(:topic, tags: [tag, hidden_tag]) }
|
||||
|
||||
it "returns topics with hidden tag to admin" do
|
||||
expect(
|
||||
TopicQuery.new(admin, tags: hidden_tag.name).list_latest.topics,
|
||||
).to contain_exactly(topic_with_hidden_tag)
|
||||
end
|
||||
|
||||
it "doesn't return topics with hidden tags to anon" do
|
||||
expect(TopicQuery.new(nil, tags: hidden_tag.name).list_latest.topics).to be_empty
|
||||
end
|
||||
|
||||
it "doesn't return topic with hidden tags to non-staff" do
|
||||
expect(TopicQuery.new(user, tags: hidden_tag.name).list_latest.topics).to be_empty
|
||||
end
|
||||
|
||||
it "returns topics with hidden tag to admin when using match_all_tags" do
|
||||
expect(
|
||||
TopicQuery
|
||||
.new(admin, tags: [tag.name, hidden_tag.name], match_all_tags: true)
|
||||
.list_latest
|
||||
.topics,
|
||||
).to contain_exactly(topic_with_hidden_tag)
|
||||
end
|
||||
|
||||
it "doesn't return topic with hidden tags to non-staff when using match_all_tags" do
|
||||
expect(
|
||||
TopicQuery
|
||||
.new(user, tags: [tag.name, hidden_tag.name], match_all_tags: true)
|
||||
.list_latest
|
||||
.topics,
|
||||
).to be_empty
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context "when remove_muted_tags is enabled" do
|
||||
|
Loading…
Reference in New Issue
Block a user