discourse/app/serializers/category_serializer.rb

# frozen_string_literal: true

class CategorySerializer < SiteCategorySerializer
  attributes :read_restricted,
             :available_groups,
             :auto_close_hours,
             :auto_close_based_on_last_post,
             :group_permissions,
             :position,
             :email_in,
             :email_in_allow_strangers,
             :mailinglist_mirror,
             :all_topics_wiki,
             :allow_unlimited_owner_edits_on_first_post,
             :can_delete,
             :cannot_delete_reason,
             :is_special,
             :allow_badges,
             :custom_fields,
             :topic_featured_link_allowed,
             :search_priority,
             :reviewable_by_group_name,
             :default_slow_mode_seconds

  def reviewable_by_group_name
    object.reviewable_by_group.name
  end

  def include_reviewable_by_group_name?
    SiteSetting.enable_category_group_moderation? && object.reviewable_by_group_id.present?
  end

  def group_permissions
    @group_permissions ||=
      begin
        perms =
          object
            .category_groups
            .joins(:group)
            .includes(:group)
            .merge(Group.visible_groups(scope&.user, "groups.name ASC", include_everyone: true))
            .map { |cg| { permission_type: cg.permission_type, group_name: cg.group.name } }

        if perms.length == 0 && !object.read_restricted
          perms << {
            permission_type: CategoryGroup.permission_types[:full],
            group_name: Group[:everyone]&.name.presence || :everyone,
          }
        end

        perms
      end
  end

  def include_group_permissions?
    scope&.can_edit?(object)
  end

  def include_available_groups?
    scope && scope.can_edit?(object)
  end

  def available_groups
    Group.order(:name).pluck(:name) - group_permissions.map { |g| g[:group_name] }
  end

  def can_delete
    true
  end

  def include_is_special?
    [
      SiteSetting.meta_category_id,
      SiteSetting.staff_category_id,
      SiteSetting.uncategorized_category_id,
    ].include? object.id
  end

  def is_special
    true
  end

  def include_can_delete?
    scope && scope.can_delete?(object)
  end

  def include_cannot_delete_reason?
    !include_can_delete? && scope && scope.can_edit?(object)
  end

  def include_email_in?
    scope && scope.can_edit?(object)
  end

  def include_email_in_allow_strangers?
    scope && scope.can_edit?(object)
  end

  def include_notification_level?
    scope && scope.user
  end

  def notification_level
    user = scope && scope.user
    object.notification_level ||
      (user && CategoryUser.where(user: user, category: object).first.try(:notification_level)) ||
      CategoryUser.default_notification_level
  end

  def custom_fields
    object.custom_fields
  end

  def include_custom_fields?
    true
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

UX: Hide "Create Tag" option if user cannot create tag. (#7723) 2019-08-19 04:40:56 -04:00			`class CategorySerializer < SiteCategorySerializer`
FIX: Don't allow parent categories to be deleted. Also, remove duplicated logic and rely on the server response for `can_delete` status. 2014-02-12 17:24:25 -05:00			`attributes :read_restricted,`
			`:available_groups,`
			`:auto_close_hours,`
FEATURE: auto-close topics based on last post 2014-10-10 12:21:44 -04:00			`:auto_close_based_on_last_post,`
FIX: Don't allow parent categories to be deleted. Also, remove duplicated logic and rely on the server response for `can_delete` status. 2014-02-12 17:24:25 -05:00			`:group_permissions,`
			`:position,`
Add Email-In-Per-Category - allow the configuration of an inbox-email-address per category - post emails to that email into that category instead of global - Adds UI for configuration - Adds Documentation for configuration - Adds Tests for new feature 2014-02-27 07:44:21 -05:00			`:email_in,`
Add public-inbox to Email-In-Feature - Adds the advanced option to accept email from non-users per category email-address - Adds tests covering the new feature - Adds UI to configure this feature in the frontend 2014-02-27 10:36:33 -05:00			`:email_in_allow_strangers,`
FEATURE: category setting for mailinglist mirror 2017-11-15 11:36:52 -05:00			`:mailinglist_mirror,`
FEATURE: Category setting to make all topics wikis FEATURE: Category setting to make all topics wikis 2016-12-18 08:38:55 -05:00			`:all_topics_wiki,`
FEATURE: Category setting to allow unlimited first post edits by the owner of the topic (#12690) This PR adds a new category setting which is a column in the `categories` table, `allow_unlimited_owner_edits_on_first_post`. What this does is: * Inside the `can_edit_post?` method of `PostGuardian`, if the current user editing a post is the owner of the post, it is the first post, and the topic's category has `allow_unlimited_owner_edits_on_first_post`, then we bypass the check for `LimitedEdit#edit_time_limit_expired?` on that post. * Also, similar to wiki topics, in `PostActionNotifier#after_create_post_revision` we send a notification to all users watching a topic when the OP is edited in a topic with the category setting `allow_unlimited_owner_edits_on_first_post` enabled. This is useful for forums where there is a Marketplace or similar category, where topics are created and then updated indefinitely by the OP rather than the OP making new topics or additional replies. In a way this acts similar to a wiki that only one person can edit. 2021-04-14 01:54:09 -04:00			`:allow_unlimited_owner_edits_on_first_post,`
BUGFIX: incorrect ordering in category permissions FEATURE: UI for categories that we allow badges on 2014-07-09 22:01:46 -04:00			`:can_delete,`
FEATURE: show a reason why a category can't be deleted 2014-07-16 15:43:44 -04:00			`:cannot_delete_reason,`
FIX: Don't allow editing seeded category security settings 2015-09-10 17:04:21 -04:00			`:is_special,`
FEATURE: serialize and update category custom_fields - send to client - update from client 2015-06-09 16:07:37 -04:00			`:allow_badges,`
FEATURE: restrict tags to be used in a category 2016-05-30 16:37:06 -04:00			`:custom_fields,`
FEATURE: Ability to exclude category from search results. (#7194) This commit also adds `Category#search_priority` which sets the ground work to enable prioritizing of posts for certain categories when searching. 2019-03-18 03:25:45 -04:00			`:topic_featured_link_allowed,`
FEATURE: Category Reviewable by Group Allow a group to review content in a particular category. 2019-04-17 17:12:32 -04:00			`:search_priority,`
FEATURE: Per-category default slow mode duration for topics. When configured, all topics in the category inherits the slow mode duration from the category's default. Note that currently there is no way to remove the slow mode from the topics once it has been set. 2021-06-27 15:46:11 -04:00			`:reviewable_by_group_name,`
			`:default_slow_mode_seconds`
FEATURE: Category Reviewable by Group Allow a group to review content in a particular category. 2019-04-17 17:12:32 -04:00
			`def reviewable_by_group_name`
			`object.reviewable_by_group.name`
			`end`

			`def include_reviewable_by_group_name?`
FEATURE: Allow group moderators to close/archive topics * FEATURE: Allow group moderators to close/archive topics 2020-07-14 12:36:19 -04:00			`SiteSetting.enable_category_group_moderation? && object.reviewable_by_group_id.present?`
FEATURE: Category Reviewable by Group Allow a group to review content in a particular category. 2019-04-17 17:12:32 -04:00			`end`
UI still a tad rough, but we have a first pass of secure categories 2013-05-10 02:47:47 -04:00
work in progress, add fidelity to category group permissions (full, create posts, readonly) 2013-07-13 21:24:16 -04:00			`def group_permissions`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`@group_permissions \|\|=`
			`begin`
			`perms =`
			`object`
			`.category_groups`
			`.joins(:group)`
			`.includes(:group)`
			`.merge(Group.visible_groups(scope&.user, "groups.name ASC", include_everyone: true))`
			`.map { \|cg\| { permission_type: cg.permission_type, group_name: cg.group.name } }`

			`if perms.length == 0 && !object.read_restricted`
			`perms << {`
			`permission_type: CategoryGroup.permission_types[:full],`
			`group_name: Group[:everyone]&.name.presence \|\| :everyone,`
SECURITY: Avoid leaking private group name when viewing category. (#16337) In certain instances when viewing a category, the name of a group with restricted visilbity may be revealed to users which do not have the required permission. 2022-03-31 02:39:01 -04:00			`}`
			`end`

DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`perms`
work in progress, add fidelity to category group permissions (full, create posts, readonly) 2013-07-13 21:24:16 -04:00			`end`
UI still a tad rough, but we have a first pass of secure categories 2013-05-10 02:47:47 -04:00			`end`

SECURITY: Category group permissions leaked to normal users. After this commit, category group permissions can only be seen by users that are allowed to manage a category. In the past, we inadvertently included a category's group permissions settings in `CategoriesController#show` and `CategoriesController#find_by_slug` endpoints for normal users when those settings are only a concern to users that can manage a category. 2022-04-07 23:14:06 -04:00			`def include_group_permissions?`
			`scope&.can_edit?(object)`
			`end`

SECURITY: Do not allow unauthorized access to category edit UI (#13252) 2021-06-02 13:18:45 -04:00			`def include_available_groups?`
			`scope && scope.can_edit?(object)`
			`end`

UI still a tad rough, but we have a first pass of secure categories 2013-05-10 02:47:47 -04:00			`def available_groups`
Finalize read only and post only categories, finished off UI work 2013-07-16 01:44:07 -04:00			`Group.order(:name).pluck(:name) - group_permissions.map { \|g\| g[:group_name] }`
UI still a tad rough, but we have a first pass of secure categories 2013-05-10 02:47:47 -04:00			`end`
Can edit category descriptions, they show up in a `title` attribute 2013-02-21 18:09:56 -05:00
FIX: Don't allow parent categories to be deleted. Also, remove duplicated logic and rely on the server response for `can_delete` status. 2014-02-12 17:24:25 -05:00			`def can_delete`
			`true`
			`end`

Use the json boolean trick 2015-09-11 12:14:45 -04:00			`def include_is_special?`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`[`
			`SiteSetting.meta_category_id,`
			`SiteSetting.staff_category_id,`
			`SiteSetting.uncategorized_category_id,`
			`].include? object.id`
FIX: Don't allow editing seeded category security settings 2015-09-10 17:04:21 -04:00			`end`

Use the json boolean trick 2015-09-11 12:14:45 -04:00			`def is_special`
			`true`
			`end`

FIX: Don't allow parent categories to be deleted. Also, remove duplicated logic and rely on the server response for `can_delete` status. 2014-02-12 17:24:25 -05:00			`def include_can_delete?`
			`scope && scope.can_delete?(object)`
			`end`

FIX: `include_` serializer methods must end with ? (#14407) Otherwise, they are simply dead code and the attribute is visible by default. These bugs did not expose any sensitive information. 2021-09-22 09:01:25 -04:00			`def include_cannot_delete_reason?`
FEATURE: show a reason why a category can't be deleted 2014-07-16 15:43:44 -04:00			`!include_can_delete? && scope && scope.can_edit?(object)`
			`end`

Add Email-In-Per-Category - allow the configuration of an inbox-email-address per category - post emails to that email into that category instead of global - Adds UI for configuration - Adds Documentation for configuration - Adds Tests for new feature 2014-02-27 07:44:21 -05:00			`def include_email_in?`
			`scope && scope.can_edit?(object)`
			`end`

Add public-inbox to Email-In-Feature - Adds the advanced option to accept email from non-users per category email-address - Adds tests covering the new feature - Adds UI to configure this feature in the frontend 2014-02-27 10:36:33 -05:00			`def include_email_in_allow_strangers?`
			`scope && scope.can_edit?(object)`
			`end`

FIX: skip category notification_level unless scoped #b19dcac2 improved the serializer so it sends default notification levels to users to work around cases where a category edit would would result in clients being left with invalid notification state Unfortunately this did not address the root issue. When we edit categories we publish state to multiple users this means that the serializer is executed unscoped with no user. The client already handles this case per: https://github.com/discourse/discourse/blob/dcad720a4ce0aa67e94299ff8370fafd20cc41b2/app/assets/javascripts/discourse/app/models/site.js#L119-L119 If a property is not shipped to it, it will leave it alone on the existing category. This fix ensures that these wide category info updates do not include notification state to avoid corruption of local state. 2020-06-24 03:07:52 -04:00			`def include_notification_level?`
			`scope && scope.user`
			`end`

PERF: fix N+1 on categories page 2016-02-03 07:58:59 -05:00			`def notification_level`
need to allow for now scope 2016-02-03 08:19:08 -05:00			`user = scope && scope.user`
FIX: Include default notification level in category serializer (#9572) Fixes an issue where the notification level state goes missing when user edits a category in the UI. 2020-04-28 12:05:53 -04:00			`object.notification_level \|\|`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`(user && CategoryUser.where(user: user, category: object).first.try(:notification_level)) \|\|`
			`CategoryUser.default_notification_level`
PERF: fix N+1 on categories page 2016-02-03 07:58:59 -05:00			`end`

DEV: Option to preload category custom fields for site serializer 2019-03-16 07:48:57 -04:00			`def custom_fields`
			`object.custom_fields`
			`end`
FIX: Always include custom fields in CategorySerializer even if it is empty 2019-03-24 22:29:56 -04:00
			`def include_custom_fields?`
			`true`
			`end`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`