FIX: Disallow featuring hidden topics (#8814)

2020-01-30 10:00:49 -06:00 · 2020-01-30 10:00:49 -06:00 · 089d38e9d3
parent dc34c24ffe
commit 089d38e9d3
4 changed files with 21 additions and 4 deletions
--- a/app/services/topic_status_updater.rb
+++ b/app/services/topic_status_updater.rb
@ -42,6 +42,10 @@ TopicStatusUpdater = Struct.new(:topic, :user) do
      DiscourseEvent.trigger(:topic_closed, topic)
    end

+    if status.visible? && status.disabled?
+      UserProfile.remove_featured_topic_from_all_profiles(topic)
+    end
+
    if @topic_status_update
      if status.manually_closing_topic? || status.closing_topic?
        topic.delete_topic_timer(TopicTimer.types[:close])
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@ -127,6 +127,7 @@ module UserGuardian
  def can_feature_topic?(user, topic)
    return false if !SiteSetting.allow_featured_topic_on_user_profiles?
    return false if !is_me?(user) && !is_staff?
+    return false if !topic.visible
    return false if topic.read_restricted_category? || topic.private_message?
    true
  end
--- a/spec/models/topic_spec.rb
+++ b/spec/models/topic_spec.rb
@ -986,16 +986,21 @@ describe Topic do

    context 'visibility' do
      context 'disable' do
-        before do
+        it 'should not be visible and have correct counts' do
          topic.update_status('visible', false, @user)
          topic.reload
-        end
-
-        it 'should not be visible and have correct counts' do
          expect(topic).not_to be_visible
          expect(topic.moderator_posts_count).to eq(1)
          expect(topic.bumped_at.to_f).to be_within(1e-4).of(@original_bumped_at)
        end
+
+        it 'removes itself as featured topic on user profiles' do
+          user.user_profile.update(featured_topic_id: topic.id)
+          expect(user.user_profile.featured_topic).to eq(topic)
+
+          topic.update_status('visible', false, @user)
+          expect(user.user_profile.reload.featured_topic).to eq(nil)
+        end
      end

      context 'enable' do
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -3923,6 +3923,13 @@ describe UsersController do
        expect(response.status).to eq(403)
      end

+      it "returns an error if the topic is not visible" do
+        sign_in(user)
+        topic.update_status('visible', false, user)
+        put "/u/#{user.username}/feature-topic.json", params: { topic_id: topic.id }
+        expect(response.status).to eq(403)
+      end
+
      it "returns an error if the topic's category is read_restricted" do
        sign_in(user)
        category.set_permissions({})