SECURITY: Prevent dismissal of topics that user can't see (#22086)

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
2025-02-25 18:55:32 -06:00 · 2023-06-13 11:08:55 -06:00
parent 644dded000
commit dcceb91000
4 changed files with 238 additions and 29 deletions
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@@ -1045,39 +1045,47 @@ class TopicsController < ApplicationController
  end

  def reset_new
+    topic_scope =
+      if current_user.new_new_view_enabled?
+        if (params[:dismiss_topics] && params[:dismiss_posts])
+          TopicQuery.new(current_user).new_and_unread_results(limit: false)
+        elsif params[:dismiss_topics]
+          TopicQuery.new(current_user).new_results(limit: false)
+        elsif params[:dismiss_posts]
+          TopicQuery.new(current_user).unread_results(limit: false)
+        else
+          Topic.none
+        end
+      else
+        TopicQuery.new(current_user).new_results(limit: false)
+      end
+    if tag_name = params[:tag_id]
+      tag_name = DiscourseTagging.visible_tags(guardian).where(name: tag_name).pluck(:name).first
+    end
    topic_scope =
      if params[:category_id].present?
-        category_ids = [params[:category_id]]
-        if params[:include_subcategories] == "true"
+        category_ids = [params[:category_id].to_i]
+        if ActiveModel::Type::Boolean.new.cast(params[:include_subcategories])
          category_ids =
            category_ids.concat(Category.where(parent_category_id: params[:category_id]).pluck(:id))
        end

-        scope = Topic.where(category_id: category_ids)
-        scope = scope.joins(:tags).where(tags: { name: params[:tag_id] }) if params[:tag_id]
+        category_ids &= guardian.allowed_category_ids
+        if category_ids.blank?
+          scope = topic_scope.none
+        else
+          scope = topic_scope.where(category_id: category_ids)
+          scope = scope.joins(:tags).where(tags: { name: tag_name }) if tag_name
+        end
        scope
-      elsif params[:tag_id].present?
-        Topic.joins(:tags).where(tags: { name: params[:tag_id] })
+      elsif tag_name.present?
+        topic_scope.joins(:tags).where(tags: { name: tag_name })
      else
-        new_results =
-          if current_user.new_new_view_enabled?
-            if (params[:dismiss_topics] && params[:dismiss_posts])
-              TopicQuery.new(current_user).new_and_unread_results(limit: false)
-            elsif params[:dismiss_topics]
-              TopicQuery.new(current_user).new_results(limit: false)
-            elsif params[:dismiss_posts]
-              TopicQuery.new(current_user).unread_results(limit: false)
-            else
-              Topic.none
-            end
-          else
-            TopicQuery.new(current_user).new_results(limit: false)
-          end
        if params[:tracked].to_s == "true"
-          TopicQuery.tracked_filter(new_results, current_user.id)
+          TopicQuery.tracked_filter(topic_scope, current_user.id)
        else
          current_user.user_stat.update_column(:new_since, Time.zone.now)
-          new_results
+          topic_scope
        end
      end

@@ -1086,7 +1094,7 @@ class TopicsController < ApplicationController
        raise Discourse::InvalidParameters.new("Expecting topic_ids to contain a list of topic ids")
      end

-      topic_ids = params[:topic_ids].map { |t| t.to_i }
+      topic_ids = params[:topic_ids].map(&:to_i)
      topic_scope = topic_scope.where(id: topic_ids)
    end

@@ -1097,7 +1105,6 @@ class TopicsController < ApplicationController
        TopicsBulkAction.new(current_user, topic_scope.pluck(:id), type: "dismiss_topics").perform!
      TopicTrackingState.publish_dismiss_new(current_user.id, topic_ids: dismissed_topic_ids)
    end
-
    if params[:dismiss_posts]
      if params[:untrack]
        dismissed_post_topic_ids =