SECURITY: Update to exclude tag topic filter (#20007)

Ignores tags specified in exclude_tag topics param that a user does not
have access to.

Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
This commit is contained in:
Bianca Nenciu 2023-01-25 18:56:28 +02:00 committed by GitHub
parent ecb9aa5dba
commit 15a2af1c21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 8 deletions

View File

@ -731,14 +731,17 @@ class TopicQuery
result = result.where.not(id: TopicTag.distinct.pluck(:topic_id))
end
result = result.where(<<~SQL, name: @options[:exclude_tag]) if @options[:exclude_tag].present?
topics.id NOT IN (
SELECT topic_tags.topic_id
FROM topic_tags
INNER JOIN tags ON tags.id = topic_tags.tag_id
WHERE tags.name = :name
)
SQL
if @options[:exclude_tag].present? &&
!DiscourseTagging.hidden_tag_names(@guardian).include?(@options[:exclude_tag])
result = result.where(<<~SQL, name: @options[:exclude_tag])
topics.id NOT IN (
SELECT topic_tags.topic_id
FROM topic_tags
INNER JOIN tags ON tags.id = topic_tags.tag_id
WHERE tags.name = :name
)
SQL
end
end
result = apply_ordering(result, options)

View File

@ -408,6 +408,9 @@ RSpec.describe TopicQuery do
fab!(:tagged_topic3) { Fabricate(:topic, tags: [tag, other_tag]) }
fab!(:tagged_topic4) { Fabricate(:topic, tags: [uppercase_tag]) }
fab!(:no_tags_topic) { Fabricate(:topic) }
fab!(:tag_group) do
Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [other_tag.name])
end
let(:synonym) { Fabricate(:tag, target_tag: tag, name: "synonym") }
it "excludes a tag if desired" do
@ -415,6 +418,11 @@ RSpec.describe TopicQuery do
expect(topics.any? { |t| t.tags.include?(tag) }).to eq(false)
end
it "does not exclude a tagged topic without permission" do
topics = TopicQuery.new(user, exclude_tag: other_tag.name).list_latest.topics
expect(topics.map(&:id)).to include(tagged_topic2.id)
end
it "returns topics with the tag when filtered to it" do
expect(TopicQuery.new(moderator, tags: tag.name).list_latest.topics).to contain_exactly(
tagged_topic1,