FIX: Clean tag before searching for matches

2018-10-22 11:09:06 +01:00 · 2018-10-22 11:09:06 +01:00 · 3377f26eba
parent 37b7afa522
commit 3377f26eba
2 changed files with 12 additions and 3 deletions
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@ -176,18 +176,19 @@ class TagsController < ::ApplicationController
  end

  def search
+    clean_name = DiscourseTagging.clean_tag(params[:q])
    category = params[:categoryId] ? Category.find_by_id(params[:categoryId]) : nil

    # Prioritize exact matches when ordering
    order_query = Tag.sanitize_sql_for_order(
-      ["lower(name) = lower(?) DESC, topic_count DESC", params[:q]]
+      ["lower(name) = lower(?) DESC, topic_count DESC", clean_name]
    )

    tags_with_counts = DiscourseTagging.filter_allowed_tags(
      Tag.order(order_query).limit(params[:limit]),
      guardian,
      for_input: params[:filterForInput],
-      term: params[:q],
+      term: clean_name,
      category: category,
      selected_tags: params[:selected_tags]
    )
@ -196,7 +197,7 @@ class TagsController < ::ApplicationController

    json_response = { results: tags }

-    if Tag.where_name(params[:q]).exists? && !tags.find { |h| h[:id] == params[:q] }
+    if Tag.where_name(clean_name).exists? && !tags.find { |h| h[:id].downcase == clean_name.downcase }
      # filter_allowed_tags determined that the tag entered is not allowed
      json_response[:forbidden] = params[:q]
    end
--- a/spec/requests/tags_controller_spec.rb
+++ b/spec/requests/tags_controller_spec.rb
@ -329,6 +329,14 @@ describe TagsController do
        expect(json["forbidden"]).to be_present
      end

+      it "matches tags after sanitizing input" do
+        yup, nope = Fabricate(:tag, name: 'yup'), Fabricate(:tag, name: 'nope')
+        get "/tags/filter/search.json", params: { q: 'N/ope' }
+        expect(response.status).to eq(200)
+        json = ::JSON.parse(response.body)
+        expect(json["results"].map { |j| j["id"] }.sort).to eq(["nope"])
+      end
+
      it "can return tags that are in secured categories but are allowed to be used" do
        c = Fabricate(:private_category, group: Fabricate(:group))
        Fabricate(:topic, category: c, tags: [Fabricate(:tag, name: "cooltag")])