FIX: topics in private sub-categories were visible to everyone on the categories page

2014-06-16 15:11:58 -04:00 · 2014-06-16 15:11:58 -04:00 · 2cd55b1fa2
parent d53ac36818
commit 2cd55b1fa2
2 changed files with 28 additions and 4 deletions
--- a/app/models/category_list.rb
+++ b/app/models/category_list.rb
@ -92,7 +92,7 @@ class CategoryList
      if latest_post_only?
        @all_topics = []
        @categories.each do |c|
-          if c.latest_post && c.latest_post.topic
+          if c.latest_post && c.latest_post.topic && @guardian.can_see?(c.latest_post.topic)
            c.displayable_topics = [c.latest_post.topic]
            topic = c.latest_post.topic
            topic.include_last_poster = true # hint for serialization
@ -108,7 +108,7 @@ class CategoryList
            c.displayable_topics = []
            topics_in_cat.each do |topic_id|
              topic = @topics_by_id[topic_id]
-              if topic.present?
+              if topic.present? && @guardian.can_see?(topic)
                topic.category = c
                c.displayable_topics << topic
              end
--- a/spec/components/category_list_spec.rb
+++ b/spec/components/category_list_spec.rb
@ -9,8 +9,6 @@ describe CategoryList do

  context "security" do
    it "properly hide secure categories" do
-      user = Fabricate(:user)
-
      cat = Fabricate(:category)
      Fabricate(:topic, category: cat)
      cat.set_permissions(:admins => :full)
@ -21,6 +19,32 @@ describe CategoryList do
      CategoryList.new(Guardian.new user).categories.count.should == 0
      CategoryList.new(Guardian.new nil).categories.count.should == 0
    end
+
+    it "doesn't show topics that you can't view" do
+      public_cat = Fabricate(:category) # public category
+      Fabricate(:topic, category: public_cat)
+
+      private_cat = Fabricate(:category) # private category
+      Fabricate(:topic, category: private_cat)
+      private_cat.set_permissions(admins: :full)
+      private_cat.save
+
+      secret_subcat = Fabricate(:category, parent_category_id: public_cat.id) # private subcategory
+      Fabricate(:topic, category: secret_subcat)
+      secret_subcat.set_permissions(admins: :full)
+      secret_subcat.save
+
+      CategoryFeaturedTopic.feature_topics
+
+      CategoryList.new(Guardian.new(admin)).categories.find { |x| x.name == public_cat.name }.displayable_topics.count.should == 2
+      CategoryList.new(Guardian.new(admin)).categories.find { |x| x.name == private_cat.name }.displayable_topics.count.should == 1
+
+      CategoryList.new(Guardian.new(user)).categories.find { |x| x.name == public_cat.name }.displayable_topics.count.should == 1
+      CategoryList.new(Guardian.new(user)).categories.find { |x| x.name == private_cat.name }.should be_nil
+
+      CategoryList.new(Guardian.new(nil)).categories.find { |x| x.name == public_cat.name }.displayable_topics.count.should == 1
+      CategoryList.new(Guardian.new(nil)).categories.find { |x| x.name == private_cat.name }.should be_nil
+    end
  end

  context "with a category" do