DEV: Restrict `include:unlisted` search option to users that can view unlisted topics (#27977)

This commit is contained in:
Sérgio Saquetim 2024-07-18 16:33:14 -03:00 committed by GitHub
parent 6a3e12a39c
commit 4b20021033
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 25 additions and 6 deletions

View File

@ -937,7 +937,7 @@ class Search
nil
elsif word =~ /\Ainclude:(invisible|unlisted)\z/i
@include_invisible = true
@include_invisible = true if @guardian.can_see_unlisted_topics?
nil
else
found ? nil : word

View File

@ -2542,18 +2542,37 @@ RSpec.describe Search do
end
describe "include:invisible / include:unlisted" do
it "allows including invisible topics in the results" do
it "allows including invisible topics in the results for users that can see unlisted topics" do
topic = Fabricate(:topic, title: "I am testing a search", visible: false)
post = Fabricate(:post, topic: topic, raw: "this is the first post", post_number: 1)
_post2 = Fabricate(:post, topic: topic, raw: "this is the second post", post_number: 2)
results = Search.execute("testing include:invisible")
results = Search.execute("testing include:invisible", guardian: Guardian.new(admin))
expect(results.posts.map(&:id)).to eq([post.id])
results = Search.execute("testing include:unlisted")
results =
Search.execute(
"testing include:unlisted",
guardian: Guardian.new(Fabricate(:trust_level_4)),
)
expect(results.posts.map(&:id)).to eq([post.id])
results = Search.execute("testing")
results = Search.execute("testing", guardian: Guardian.new(admin))
expect(results.posts).to eq([])
end
it "won't work for users that can't see unlisted topics" do
topic = Fabricate(:topic, title: "I am testing a search", visible: false)
_post = Fabricate(:post, topic: topic, raw: "this is the first post", post_number: 1)
results =
Search.execute("testing include:invisible", guardian: Guardian.new(Fabricate(:user)))
expect(results.posts).to eq([])
results =
Search.execute(
"testing include:unlisted",
guardian: Guardian.new(Fabricate(:trust_level_3)),
)
expect(results.posts).to eq([])
end
end