From fd7bb8e65662efc9f9a7175a783cede97d6f2baa Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Thu, 28 Jun 2018 11:03:36 -0400
Subject: [PATCH] FIX: Scope the `cn` to the subfolder

---
 .../javascripts/discourse/widgets/notification-item.js.es6    | 3 ++-
 app/controllers/application_controller.rb                     | 4 +++-
 spec/requests/topics_controller_spec.rb                       | 2 ++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/discourse/widgets/notification-item.js.es6 b/app/assets/javascripts/discourse/widgets/notification-item.js.es6
index 25366a4a403..770f0dbeb13 100644
--- a/app/assets/javascripts/discourse/widgets/notification-item.js.es6
+++ b/app/assets/javascripts/discourse/widgets/notification-item.js.es6
@@ -143,7 +143,8 @@ createWidget("notification-item", {
     const id = this.attrs.id;
     setTransientHeader("Discourse-Clear-Notifications", id);
     if (document && document.cookie) {
-      document.cookie = `cn=${id}; expires=Fri, 31 Dec 9999 23:59:59 GMT`;
+      let path = Discourse.BaseUri || "/";
+      document.cookie = `cn=${id}; path=${path}; expires=Fri, 31 Dec 9999 23:59:59 GMT`;
     }
     if (wantsNewWindow(e)) {
       return;
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b9929a9e283..83f2feb4599 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -257,7 +257,9 @@ class ApplicationController < ActionController::Base
         Notification.read(current_user, notification_ids)
         current_user.reload
         current_user.publish_notifications_state
-        cookies.delete('cn')
+        cookie_args = {}
+        cookie_args[:path] = Discourse.base_uri if Discourse.base_uri.present?
+        cookies.delete('cn', cookie_args)
       end
     end
   end
diff --git a/spec/requests/topics_controller_spec.rb b/spec/requests/topics_controller_spec.rb
index 39b8e3288e9..2dda7ea7831 100644
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@@ -1281,6 +1281,7 @@ RSpec.describe TopicsController do
 
     describe 'clear_notifications' do
       it 'correctly clears notifications if specified via cookie' do
+        Discourse.stubs(:base_uri).returns("/eviltrout")
         notification = Fabricate(:notification)
         sign_in(notification.user)
 
@@ -1290,6 +1291,7 @@ RSpec.describe TopicsController do
 
         expect(response.status).to eq(200)
         expect(response.cookies['cn']).to eq(nil)
+        expect(response.headers['Set-Cookie']).to match(/^cn=;.*path=\/eviltrout/)
 
         notification.reload
         expect(notification.read).to eq(true)