Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/app/controllers
History
Alan Guo Xiang Tan f122f24b35
SECURITY: Default tags to show count of topics in unrestricted categories (#19916) 
Currently, `Tag#topic_count` is a count of all regular topics regardless of whether the topic is in a read restricted category or not. As a result, any users can technically poll a sensitive tag to determine if a new topic is created in a category which the user has not excess to. We classify this as a minor leak in sensitive information.

The following changes are introduced in this commit:

1. Introduce `Tag#public_topic_count` which only count topics which have been tagged with a given tag in public categories.
2. Rename `Tag#topic_count` to `Tag#staff_topic_count` which counts the same way as `Tag#topic_count`. In other words, it counts all topics tagged with a given tag regardless of the category the topic is in. The rename is also done so that we indicate that this column contains sensitive information. 
3. Change all previous spots which relied on `Topic#topic_count` to rely on `Tag.topic_column_count(guardian)` which will return the right "topic count" column to use based on the current scope. 
4. Introduce `SiteSetting.include_secure_categories_in_tag_counts` site setting to allow site administrators to always display the tag topics count using `Tag#staff_topic_count` instead.
 		2023-01-20 09:50:24 +08:00
..
admin FEATURE: Allow group owners promote more owners (#19768) 2023-01-11 16:43:18 +08:00
users DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
about_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
application_controller.rb FIX: Preload user sidebar attrs when `?enable_sidebar=1` (#19843) 2023-01-13 06:47:58 +08:00
associated_groups_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
badges_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
bookmarks_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
bootstrap_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
categories_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
clicks_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
composer_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
composer_messages_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
csp_reports_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
directory_columns_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
directory_items_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
do_not_disturb_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
drafts_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
edit_directory_columns_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
email_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
embed_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
exceptions_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
export_csv_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
extra_locales_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
finish_installation_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
forums_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
groups_controller.rb FEATURE: Allow group owners promote more owners (#19768) 2023-01-11 16:43:18 +08:00
hashtags_controller.rb FEATURE: Allow showing hashtag autocomplete results without term (#19219) 2022-12-08 13:47:59 +10:00
highlight_js_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
inline_onebox_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
invites_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
list_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
metadata_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
new_topic_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
notifications_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
offline_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
onebox_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
permalinks_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
post_action_users_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
post_actions_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
post_readers_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
posts_controller.rb FEATURE: Allow admins to permanently delete revisions (#19913) 2023-01-19 15:09:01 -06:00
presence_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
published_pages_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
push_notification_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
qunit_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
reviewable_claimed_topics_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
reviewables_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
robots_txt_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
safe_mode_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
search_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
session_controller.rb FIX: Ruby 2 backward compatible plugin logout redirect (#19845) 2023-01-12 19:12:20 +08:00
similar_topics_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
site_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
sitemap_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
static_controller.rb DEV: Allow accessing sourcemaps on `/brotli_asset` path (#19894) 2023-01-17 12:49:42 +00:00
steps_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
stylesheets_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
svg_sprite_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
tag_groups_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
tags_controller.rb SECURITY: Default tags to show count of topics in unrestricted categories (#19916) 2023-01-20 09:50:24 +08:00
theme_javascripts_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
topics_controller.rb FEATURE: Extend topic update API scope to allow status updates (#19654) 2023-01-13 01:21:04 +00:00
uploads_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_actions_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_api_keys_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_avatars_controller.rb FEATURE: raise redirect avatar cache to 1 day (#19840) 2023-01-12 12:40:42 +11:00
user_badges_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_status_controller.rb FEATURE: User Status API (#19149) 2022-11-24 19:16:28 +04:00
users_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
users_email_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
webhooks_controller.rb FEATURE: Verify email webhook signatures (#19690) 2023-01-16 19:16:17 +02:00
wizard_controller.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00