FIX: Do not return channels for hashtags if user cannot chat (#19417)

Previously with this experimental feature a user would be able to search for public channels for public categories using the new #hashtag system even if they couldn't chat. This commit fixes the hole.
2022-12-12 12:24:41 +10:00 · 2022-12-12 12:24:41 +10:00 · f5b464ead5
parent ab4158d257
commit f5b464ead5
2 changed files with 26 additions and 1 deletions
--- a/plugins/chat/lib/chat_channel_hashtag_data_source.rb
+++ b/plugins/chat/lib/chat_channel_hashtag_data_source.rb
@ -18,6 +18,7 @@ class Chat::ChatChannelHashtagDataSource

  def self.lookup(guardian, slugs)
    if SiteSetting.enable_experimental_hashtag_autocomplete
+      return [] if !guardian.can_chat?(guardian.user)
      Chat::ChatChannelFetcher
        .secured_public_channel_slug_lookup(guardian, slugs)
        .map { |channel| channel_to_hashtag_item(guardian, channel) }
@ -28,6 +29,7 @@ class Chat::ChatChannelHashtagDataSource

  def self.search(guardian, term, limit)
    if SiteSetting.enable_experimental_hashtag_autocomplete
+      return [] if !guardian.can_chat?(guardian.user)
      Chat::ChatChannelFetcher
        .secured_public_channel_search(
          guardian,
@ -47,6 +49,7 @@ class Chat::ChatChannelHashtagDataSource

  def self.search_without_term(guardian, limit)
    if SiteSetting.enable_experimental_hashtag_autocomplete
+      return [] if !guardian.can_chat?(guardian.user)
      allowed_channel_ids_sql =
        Chat::ChatChannelFetcher.generate_allowed_channel_ids_sql(
          guardian,
--- a/plugins/chat/spec/lib/chat_channel_hashtag_data_source_spec.rb
+++ b/plugins/chat/spec/lib/chat_channel_hashtag_data_source_spec.rb
@ -26,7 +26,11 @@ RSpec.describe Chat::ChatChannelHashtagDataSource do
  end
  let!(:guardian) { Guardian.new(user) }

-  before { SiteSetting.enable_experimental_hashtag_autocomplete = true }
+  before do
+    SiteSetting.enable_experimental_hashtag_autocomplete = true
+    SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:trust_level_1]
+    Group.refresh_automatic_groups!
+  end

  describe "#lookup" do
    it "finds a channel by a slug" do
@ -67,6 +71,12 @@ RSpec.describe Chat::ChatChannelHashtagDataSource do
      result = described_class.lookup(guardian, []).first
      expect(result).to eq(nil)
    end
+
+    it "returns nothing if the user cannot chat" do
+      SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:staff]
+      Group.refresh_automatic_groups!
+      expect(described_class.lookup(Guardian.new(user), ["random"])).to be_empty
+    end
  end

  describe "#search" do
@ -123,6 +133,12 @@ RSpec.describe Chat::ChatChannelHashtagDataSource do
        },
      )
    end
+
+    it "returns nothing if the user cannot chat" do
+      SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:staff]
+      Group.refresh_automatic_groups!
+      expect(described_class.search(Guardian.new(user), "rand", 10)).to be_empty
+    end
  end

  describe "#search_without_term" do
@ -160,5 +176,11 @@ RSpec.describe Chat::ChatChannelHashtagDataSource do
      membership3.update!(following: false)
      expect(described_class.search_without_term(guardian, 5).map(&:slug)).to eq(%w[chat random])
    end
+
+    it "returns nothing if the user cannot chat" do
+      SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:staff]
+      Group.refresh_automatic_groups!
+      expect(described_class.search_without_term(Guardian.new(user), 10)).to be_empty
+    end
  end
 end