SECURITY: Update to exclude tag topic filter (#20006)
Ignores tags specified in exclude_tag topics param that a user does not have access to. Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
This commit is contained in:
parent
105fee978d
commit
f55e0fe791
|
@ -735,7 +735,9 @@ class TopicQuery
|
|||
result = result.where.not(id: TopicTag.distinct.pluck(:topic_id))
|
||||
end
|
||||
|
||||
result = result.where(<<~SQL, name: @options[:exclude_tag]) if @options[:exclude_tag].present?
|
||||
if @options[:exclude_tag].present? &&
|
||||
!DiscourseTagging.hidden_tag_names(@guardian).include?(@options[:exclude_tag])
|
||||
result = result.where(<<~SQL, name: @options[:exclude_tag])
|
||||
topics.id NOT IN (
|
||||
SELECT topic_tags.topic_id
|
||||
FROM topic_tags
|
||||
|
@ -744,6 +746,7 @@ class TopicQuery
|
|||
)
|
||||
SQL
|
||||
end
|
||||
end
|
||||
|
||||
result = apply_ordering(result, options)
|
||||
|
||||
|
|
|
@ -409,6 +409,9 @@ RSpec.describe TopicQuery do
|
|||
fab!(:tagged_topic3) { Fabricate(:topic, tags: [tag, other_tag]) }
|
||||
fab!(:tagged_topic4) { Fabricate(:topic, tags: [uppercase_tag]) }
|
||||
fab!(:no_tags_topic) { Fabricate(:topic) }
|
||||
fab!(:tag_group) do
|
||||
Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [other_tag.name])
|
||||
end
|
||||
let(:synonym) { Fabricate(:tag, target_tag: tag, name: "synonym") }
|
||||
|
||||
it "excludes a tag if desired" do
|
||||
|
@ -416,6 +419,11 @@ RSpec.describe TopicQuery do
|
|||
expect(topics.any? { |t| t.tags.include?(tag) }).to eq(false)
|
||||
end
|
||||
|
||||
it "does not exclude a tagged topic without permission" do
|
||||
topics = TopicQuery.new(user, exclude_tag: other_tag.name).list_latest.topics
|
||||
expect(topics.map(&:id)).to include(tagged_topic2.id)
|
||||
end
|
||||
|
||||
it "returns topics with the tag when filtered to it" do
|
||||
expect(TopicQuery.new(moderator, tags: tag.name).list_latest.topics).to contain_exactly(
|
||||
tagged_topic1,
|
||||
|
|
Loading…
Reference in New Issue