From f5b464ead5839a02aa07d167f396987f0e9b4da0 Mon Sep 17 00:00:00 2001 From: Martin Brennan Date: Mon, 12 Dec 2022 12:24:41 +1000 Subject: [PATCH] FIX: Do not return channels for hashtags if user cannot chat (#19417) Previously with this experimental feature a user would be able to search for public channels for public categories using the new #hashtag system even if they couldn't chat. This commit fixes the hole. --- .../lib/chat_channel_hashtag_data_source.rb | 3 +++ .../chat_channel_hashtag_data_source_spec.rb | 24 ++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/plugins/chat/lib/chat_channel_hashtag_data_source.rb b/plugins/chat/lib/chat_channel_hashtag_data_source.rb index 8073914b789..9540770c366 100644 --- a/plugins/chat/lib/chat_channel_hashtag_data_source.rb +++ b/plugins/chat/lib/chat_channel_hashtag_data_source.rb @@ -18,6 +18,7 @@ class Chat::ChatChannelHashtagDataSource def self.lookup(guardian, slugs) if SiteSetting.enable_experimental_hashtag_autocomplete + return [] if !guardian.can_chat?(guardian.user) Chat::ChatChannelFetcher .secured_public_channel_slug_lookup(guardian, slugs) .map { |channel| channel_to_hashtag_item(guardian, channel) } @@ -28,6 +29,7 @@ class Chat::ChatChannelHashtagDataSource def self.search(guardian, term, limit) if SiteSetting.enable_experimental_hashtag_autocomplete + return [] if !guardian.can_chat?(guardian.user) Chat::ChatChannelFetcher .secured_public_channel_search( guardian, @@ -47,6 +49,7 @@ class Chat::ChatChannelHashtagDataSource def self.search_without_term(guardian, limit) if SiteSetting.enable_experimental_hashtag_autocomplete + return [] if !guardian.can_chat?(guardian.user) allowed_channel_ids_sql = Chat::ChatChannelFetcher.generate_allowed_channel_ids_sql( guardian, diff --git a/plugins/chat/spec/lib/chat_channel_hashtag_data_source_spec.rb b/plugins/chat/spec/lib/chat_channel_hashtag_data_source_spec.rb index 5c7ca643a1d..30358123622 100644 --- a/plugins/chat/spec/lib/chat_channel_hashtag_data_source_spec.rb +++ b/plugins/chat/spec/lib/chat_channel_hashtag_data_source_spec.rb @@ -26,7 +26,11 @@ RSpec.describe Chat::ChatChannelHashtagDataSource do end let!(:guardian) { Guardian.new(user) } - before { SiteSetting.enable_experimental_hashtag_autocomplete = true } + before do + SiteSetting.enable_experimental_hashtag_autocomplete = true + SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:trust_level_1] + Group.refresh_automatic_groups! + end describe "#lookup" do it "finds a channel by a slug" do @@ -67,6 +71,12 @@ RSpec.describe Chat::ChatChannelHashtagDataSource do result = described_class.lookup(guardian, []).first expect(result).to eq(nil) end + + it "returns nothing if the user cannot chat" do + SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:staff] + Group.refresh_automatic_groups! + expect(described_class.lookup(Guardian.new(user), ["random"])).to be_empty + end end describe "#search" do @@ -123,6 +133,12 @@ RSpec.describe Chat::ChatChannelHashtagDataSource do }, ) end + + it "returns nothing if the user cannot chat" do + SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:staff] + Group.refresh_automatic_groups! + expect(described_class.search(Guardian.new(user), "rand", 10)).to be_empty + end end describe "#search_without_term" do @@ -160,5 +176,11 @@ RSpec.describe Chat::ChatChannelHashtagDataSource do membership3.update!(following: false) expect(described_class.search_without_term(guardian, 5).map(&:slug)).to eq(%w[chat random]) end + + it "returns nothing if the user cannot chat" do + SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:staff] + Group.refresh_automatic_groups! + expect(described_class.search_without_term(Guardian.new(user), 10)).to be_empty + end end end