From 9057272ee242b3bc977e50977b4142066c36c05d Mon Sep 17 00:00:00 2001 From: Martin Brennan Date: Wed, 6 Dec 2023 11:56:21 +1000 Subject: [PATCH] FIX: Use Guardian.basic_user instead of new (anon) (#24705) c.f. de983796e1b66aa2ab039a4fb6e32cec8a65a098 There will soon be additional login_required checks for Guardian, and the intent of many checks by automated systems is better fulfilled by using BasicUser, which simulates a logged in TL0 forum user, rather than an anon user. In some cases the use of anon still makes sense (e.g. anonymous_cache), and in that case the more explicit `Guardian.anon_user` is used --- app/controllers/about_controller.rb | 2 +- app/controllers/email_controller.rb | 2 +- lib/cooked_post_processor.rb | 2 +- lib/middleware/anonymous_cache.rb | 2 +- lib/oneboxer.rb | 2 +- lib/pretty_text/helpers.rb | 2 +- plugins/chat/app/services/chat/publisher.rb | 10 +++------- plugins/chat/lib/chat/onebox_handler.rb | 2 +- plugins/chat/plugin.rb | 2 +- plugins/poll/lib/polls_updater.rb | 2 +- spec/lib/search_spec.rb | 2 +- 11 files changed, 13 insertions(+), 17 deletions(-) diff --git a/app/controllers/about_controller.rb b/app/controllers/about_controller.rb index 002f2e52b06..c007370ee83 100644 --- a/app/controllers/about_controller.rb +++ b/app/controllers/about_controller.rb @@ -22,7 +22,7 @@ class AboutController < ApplicationController end category_topic_ids = Category.select(:topic_id).where.not(topic_id: nil) public_topics = - Topic.listable_topics.visible.secured(Guardian.new(nil)).where.not(id: category_topic_ids) + Topic.listable_topics.visible.secured(Guardian.anon_user).where.not(id: category_topic_ids) stats = { public_topic_count: public_topics.count } stats[:public_post_count] = public_topics.sum(:posts_count) - stats[:public_topic_count] render json: stats diff --git a/app/controllers/email_controller.rb b/app/controllers/email_controller.rb index ed317022724..a7d272eeb52 100644 --- a/app/controllers/email_controller.rb +++ b/app/controllers/email_controller.rb @@ -47,6 +47,6 @@ class EmailController < ApplicationController user = User.find_by_email(@email) raise Discourse::NotFound unless user topic = Topic.find_by(id: params[:topic_id].to_i) if @topic_id - @topic = topic if topic && Guardian.new(nil).can_see?(topic) + @topic = topic if topic && Guardian.anon_user.can_see?(topic) end end diff --git a/lib/cooked_post_processor.rb b/lib/cooked_post_processor.rb index bc7fbcf2890..26708091539 100644 --- a/lib/cooked_post_processor.rb +++ b/lib/cooked_post_processor.rb @@ -59,7 +59,7 @@ class CookedPostProcessor end def grant_badges - return if @post.user.blank? || !Guardian.new.can_see?(@post) + return if @post.user.blank? || !Guardian.basic_user.can_see?(@post) BadgeGranter.grant(Badge.find(Badge::FirstEmoji), @post.user, post_id: @post.id) if has_emoji? if @has_oneboxes diff --git a/lib/middleware/anonymous_cache.rb b/lib/middleware/anonymous_cache.rb index d41069c92e0..489afd75db7 100644 --- a/lib/middleware/anonymous_cache.rb +++ b/lib/middleware/anonymous_cache.rb @@ -169,7 +169,7 @@ module Middleware def theme_ids ids, _ = @request.cookies["theme_ids"]&.split("|") id = ids&.split(",")&.map(&:to_i)&.first - if id && Guardian.new.allow_themes?([id]) + if id && Guardian.anon_user.allow_themes?([id]) Theme.transform_ids(id) else [] diff --git a/lib/oneboxer.rb b/lib/oneboxer.rb index dada3904ec3..0f3d9ade066 100644 --- a/lib/oneboxer.rb +++ b/lib/oneboxer.rb @@ -483,7 +483,7 @@ module Oneboxer return unless route[:category_slug_path_with_id] category = Category.find_by_slug_path_with_id(route[:category_slug_path_with_id]) - if Guardian.new.can_see_category?(category) + if Guardian.basic_user.can_see_category?(category) args = { url: category.url, name: category.name, diff --git a/lib/pretty_text/helpers.rb b/lib/pretty_text/helpers.rb index b07951ed79a..53c631f94aa 100644 --- a/lib/pretty_text/helpers.rb +++ b/lib/pretty_text/helpers.rb @@ -89,7 +89,7 @@ module PrettyText return unless topic_id.is_a?(Integer) # TODO this only handles public topics, secured one do not get this topic = Topic.find_by(id: topic_id) - if topic && Guardian.new.can_see?(topic) + if topic && Guardian.basic_user.can_see?(topic) { title: Rack::Utils.escape_html(topic.title), href: topic.url } elsif topic { title: I18n.t("on_another_topic"), href: Discourse.base_url + topic.slugless_url } diff --git a/plugins/chat/app/services/chat/publisher.rb b/plugins/chat/app/services/chat/publisher.rb index f960f679abe..0bd307dd0aa 100644 --- a/plugins/chat/app/services/chat/publisher.rb +++ b/plugins/chat/app/services/chat/publisher.rb @@ -52,7 +52,7 @@ module Chat message: Chat::MessageSerializer.new( chat_message, - { scope: anonymous_guardian, root: false }, + { scope: Guardian.anon_user, root: false }, ).as_json, }, permissions(chat_channel), @@ -69,7 +69,7 @@ module Chat message: Chat::MessageSerializer.new( chat_message, - { scope: anonymous_guardian, root: false }, + { scope: Guardian.anon_user, root: false }, ).as_json, }, permissions(chat_channel), @@ -258,7 +258,7 @@ module Chat def self.serialize_message_with_type(chat_message, type, options = {}) Chat::MessageSerializer - .new(chat_message, { scope: anonymous_guardian, root: :chat_message }) + .new(chat_message, { scope: Guardian.anon_user, root: :chat_message }) .as_json .merge(type: type) .merge(options) @@ -470,9 +470,5 @@ module Chat group_ids: channel.allowed_group_ids.presence, }.compact end - - def self.anonymous_guardian - Guardian.new(nil) - end end end diff --git a/plugins/chat/lib/chat/onebox_handler.rb b/plugins/chat/lib/chat/onebox_handler.rb index 3715dc9964d..1a6b6f9e8d2 100644 --- a/plugins/chat/lib/chat/onebox_handler.rb +++ b/plugins/chat/lib/chat/onebox_handler.rb @@ -19,7 +19,7 @@ module Chat thread = Chat::Thread.find_by(id: route[:thread_id]) if route[:thread_id] end - return if !Guardian.new.can_preview_chat_channel?(chat_channel) + return if !Guardian.basic_user.can_preview_chat_channel?(chat_channel) args = build_args(url, chat_channel) diff --git a/plugins/chat/plugin.rb b/plugins/chat/plugin.rb index af5d8b3292b..4645ffe64d5 100644 --- a/plugins/chat/plugin.rb +++ b/plugins/chat/plugin.rb @@ -105,7 +105,7 @@ after_initialize do end end - next if !Guardian.new.can_preview_chat_channel?(chat_channel) + next if !Guardian.basic_user.can_preview_chat_channel?(chat_channel) { url: url, title: title } end diff --git a/plugins/poll/lib/polls_updater.rb b/plugins/poll/lib/polls_updater.rb index 22c74fd8104..a125329f635 100644 --- a/plugins/poll/lib/polls_updater.rb +++ b/plugins/poll/lib/polls_updater.rb @@ -114,7 +114,7 @@ module DiscoursePoll polls, each_serializer: PollSerializer, root: false, - scope: Guardian.new(nil), + scope: Guardian.basic_user, ).as_json post.publish_message!("/polls/#{post.topic_id}", post_id: post.id, polls: polls) end diff --git a/spec/lib/search_spec.rb b/spec/lib/search_spec.rb index 4ebc44caebc..c8922c16c82 100644 --- a/spec/lib/search_spec.rb +++ b/spec/lib/search_spec.rb @@ -1988,7 +1988,7 @@ RSpec.describe Search do expect( Search - .execute("test created:@#{another_user.username}", guardian: Guardian.new()) + .execute("test created:@#{another_user.username}", guardian: Guardian.basic_user) .posts .length, ).to eq(1)