FIX: error when non-staff user edits their topic after a hidden tag is added to it

2018-04-18 12:51:25 -04:00 · 2018-04-18 12:51:25 -04:00 · 5b93d69939
parent 4810ce3607
commit 5b93d69939
2 changed files with 29 additions and 1 deletions
--- a/lib/discourse_tagging.rb
+++ b/lib/discourse_tagging.rb
@ -11,9 +11,12 @@ module DiscourseTagging
      new_tag_names = tag_names - old_tag_names
      removed_tag_names = old_tag_names - tag_names

+      hidden_tags = DiscourseTagging.hidden_tag_names
+
      # Protect staff-only tags
      unless guardian.is_staff?
-        staff_tags = DiscourseTagging.staff_only_tags(new_tag_names)
+        staff_tags = DiscourseTagging.staff_only_tags(new_tag_names) || []
+        staff_tags += hidden_tags & new_tag_names
        if staff_tags.present?
          topic.errors[:base] << I18n.t("tags.staff_tag_disallowed", tag: staff_tags.join(" "))
          return false
@ -24,6 +27,8 @@ module DiscourseTagging
          topic.errors[:base] << I18n.t("tags.staff_tag_remove_disallowed", tag: staff_tags.join(" "))
          return false
        end
+
+        tag_names += removed_tag_names & hidden_tags
      end

      category = topic.category
--- a/spec/components/discourse_tagging_spec.rb
+++ b/spec/components/discourse_tagging_spec.rb
@ -125,5 +125,28 @@ describe DiscourseTagging do
        expect(topic.errors[:base]).to be_empty
      end
    end
+
+    context 'hidden tags' do
+      let(:hidden_tag) { Fabricate(:tag) }
+      let!(:staff_tag_group) { Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [hidden_tag.name]) }
+      let(:topic) { Fabricate(:topic, user: user) }
+      let(:post) { Fabricate(:post, user: user, topic: topic, post_number: 1) }
+
+      it 'user cannot add hidden tag by knowing its name' do
+        expect(PostRevisor.new(post).revise!(topic.user, raw: post.raw + " edit", tags: [hidden_tag.name])).to be_falsey
+        expect(topic.reload.tags).to be_empty
+      end
+
+      it 'admin can add hidden tag' do
+        expect(PostRevisor.new(post).revise!(admin, raw: post.raw, tags: [hidden_tag.name])).to be_truthy
+        expect(topic.reload.tags).to eq([hidden_tag])
+      end
+
+      it 'user does not get an error when editing their topic with a hidden tag' do
+        PostRevisor.new(post).revise!(admin, raw: post.raw, tags: [hidden_tag.name])
+        expect(PostRevisor.new(post).revise!(topic.user, raw: post.raw + " edit", tags: [])).to be_truthy
+        expect(topic.reload.tags).to eq([hidden_tag])
+      end
+    end
  end
 end