FIX: staff-only tags visible on /tags page when restricted to a category

If a tag group is set to only be visible to staff, and is restricted
to a category that is visible by everyone, the tags in the group were
being shown on the /tags page. They weren't visible anywhere else.
This commit fixes it so they don't show on the /tags page.
This commit is contained in:
Neil Lalonde 2019-04-29 12:38:28 -04:00
parent 56f6065393
commit f8f7091e57
2 changed files with 36 additions and 18 deletions

View File

@ -68,14 +68,19 @@ class TagGroup < ActiveRecord::Base
if guardian.is_staff?
TagGroup
else
# (
# tag group is restricted to a category you can see
# OR
# tag group is not restricted to any categories
# )
# AND tag group can be seen by everyone
filter_sql = <<~SQL
(
id IN (SELECT tag_group_id FROM category_tag_groups WHERE category_id IN (?))
) OR (
OR
id NOT IN (SELECT tag_group_id FROM category_tag_groups)
AND
id IN (SELECT tag_group_id FROM tag_group_permissions WHERE group_id = ?)
)
AND id IN (SELECT tag_group_id FROM tag_group_permissions WHERE group_id = ?)
SQL
TagGroup.where(filter_sql, guardian.allowed_category_ids, Group::AUTO_GROUPS[:everyone])

View File

@ -52,24 +52,37 @@ describe TagGroup do
staff_only_tag_group.save!
end
it "returns correct groups based on category & tag group permissions" do
expect(TagGroup.visible(Guardian.new(admin)).pluck(:name)).to match_array(TagGroup.pluck(:name))
expect(TagGroup.visible(Guardian.new(moderator)).pluck(:name)).to match_array(TagGroup.pluck(:name))
shared_examples "correct visible tag groups" do
it "returns correct groups based on category & tag group permissions" do
expect(TagGroup.visible(Guardian.new(admin)).pluck(:name)).to match_array(TagGroup.pluck(:name))
expect(TagGroup.visible(Guardian.new(moderator)).pluck(:name)).to match_array(TagGroup.pluck(:name))
expect(TagGroup.visible(Guardian.new(user2)).pluck(:name)).to match_array([
public_tag_group.name, unrestricted_tag_group.name, private_tag_group.name,
everyone_tag_group.name, visible_tag_group.name,
])
expect(TagGroup.visible(Guardian.new(user2)).pluck(:name)).to match_array([
public_tag_group.name, unrestricted_tag_group.name, private_tag_group.name,
everyone_tag_group.name, visible_tag_group.name,
])
expect(TagGroup.visible(Guardian.new(user1)).pluck(:name)).to match_array([
public_tag_group.name, unrestricted_tag_group.name, everyone_tag_group.name,
visible_tag_group.name,
])
expect(TagGroup.visible(Guardian.new(user1)).pluck(:name)).to match_array([
public_tag_group.name, unrestricted_tag_group.name, everyone_tag_group.name,
visible_tag_group.name,
])
expect(TagGroup.visible(Guardian.new(nil)).pluck(:name)).to match_array([
public_tag_group.name, unrestricted_tag_group.name, everyone_tag_group.name,
visible_tag_group.name,
])
expect(TagGroup.visible(Guardian.new(nil)).pluck(:name)).to match_array([
public_tag_group.name, unrestricted_tag_group.name, everyone_tag_group.name,
visible_tag_group.name,
])
end
end
include_examples "correct visible tag groups"
context "staff-only tag group restricted to a public category" do
before do
public_category.allowed_tag_groups = [public_tag_group.name, staff_only_tag_group.name]
private_category.allowed_tag_groups = [private_tag_group.name, staff_only_tag_group.name]
end
include_examples "correct visible tag groups"
end
end
end