From 250625774e0e4b62eb3e2cb5e25dd2106eacbd6d Mon Sep 17 00:00:00 2001 From: Penar Musaraj Date: Mon, 26 Aug 2024 11:18:55 -0400 Subject: [PATCH] SECURITY: prevent topic list filtering by hidden tags for unathorized users This fixes an issue where unathorized users were able to filter topics by tags that are hidden from them. --- lib/topic_query.rb | 4 +++- spec/lib/topic_query_spec.rb | 40 ++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/lib/topic_query.rb b/lib/topic_query.rb index 036254f1868..1098e6b35e3 100644 --- a/lib/topic_query.rb +++ b/lib/topic_query.rb @@ -1281,7 +1281,9 @@ class TopicQuery if tags_arg && tags_arg.size > 0 tags_arg = tags_arg.split if String === tags_arg - tags_query = tags_arg[0].is_a?(String) ? Tag.where_name(tags_arg) : Tag.where(id: tags_arg) + tags_query = DiscourseTagging.visible_tags(@guardian) + tags_query = + tags_arg[0].is_a?(String) ? tags_query.where_name(tags_arg) : tags_query.where(id: tags_arg) tags = tags_query.select(:id, :target_tag_id).map { |t| t.target_tag_id || t.id }.uniq if ActiveModel::Type::Boolean.new.cast(@options[:match_all_tags]) diff --git a/spec/lib/topic_query_spec.rb b/spec/lib/topic_query_spec.rb index 5325f8ffd1f..4eb8e30c340 100644 --- a/spec/lib/topic_query_spec.rb +++ b/spec/lib/topic_query_spec.rb @@ -572,6 +572,46 @@ RSpec.describe TopicQuery do tagged_topic3, ) end + + context "with hidden tags" do + let(:hidden_tag) { Fabricate(:tag, name: "hidden") } + let!(:staff_tag_group) do + Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [hidden_tag.name]) + end + let!(:topic_with_hidden_tag) { Fabricate(:topic, tags: [tag, hidden_tag]) } + + it "returns topics with hidden tag to admin" do + expect( + TopicQuery.new(admin, tags: hidden_tag.name).list_latest.topics, + ).to contain_exactly(topic_with_hidden_tag) + end + + it "doesn't return topics with hidden tags to anon" do + expect(TopicQuery.new(nil, tags: hidden_tag.name).list_latest.topics).to be_empty + end + + it "doesn't return topic with hidden tags to non-staff" do + expect(TopicQuery.new(user, tags: hidden_tag.name).list_latest.topics).to be_empty + end + + it "returns topics with hidden tag to admin when using match_all_tags" do + expect( + TopicQuery + .new(admin, tags: [tag.name, hidden_tag.name], match_all_tags: true) + .list_latest + .topics, + ).to contain_exactly(topic_with_hidden_tag) + end + + it "doesn't return topic with hidden tags to non-staff when using match_all_tags" do + expect( + TopicQuery + .new(user, tags: [tag.name, hidden_tag.name], match_all_tags: true) + .list_latest + .topics, + ).to be_empty + end + end end context "when remove_muted_tags is enabled" do