FIX: Allow topic edits when using a hidden tag

Previously, a regular user could not edit the title or category of a topic if a hidden tag had already been applied. This also stops hidden tag names from leaking in the error message.
2025-01-30 04:31:43 +08:00 · 2019-08-21 16:33:01 -04:00 · 2019-08-21 16:33:01 -04:00 · 14cdb01254
commit 14cdb01254
parent 6924f1ab15
3 changed files with 57 additions and 3 deletions
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -320,8 +320,22 @@ class TopicsController < ApplicationController
          ).pluck("tags.name")

          invalid_tags = topic_tags - allowed_tags
+
+          # Do not raise an error on a topic's hidden tags when not modifying tags
+          if params[:tags].blank?
+            invalid_tags.each do |tag_name|
+              if DiscourseTagging.hidden_tag_names.include?(tag_name)
+                invalid_tags.delete(tag_name)
+              end
+            end
+          end
+
          if !invalid_tags.empty?
-            return render_json_error(I18n.t('category.errors.disallowed_topic_tags', tags: invalid_tags.join(", ")))
+            if (invalid_tags & DiscourseTagging.hidden_tag_names).present?
+              return render_json_error(I18n.t('category.errors.disallowed_tags_generic'))
+            else
+              return render_json_error(I18n.t('category.errors.disallowed_topic_tags', tags: invalid_tags.join(", ")))
+            end
          end
        end
      end
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -609,6 +609,7 @@ en:
      description_incomplete: "The category description post must have at least one paragraph."
      permission_conflict: "Any group that is allowed to access a subcategory must also be allowed to access the parent category. The following groups have access to one of the subcategories, but no access to parent category: %{group_names}."
      disallowed_topic_tags: "This topic has tags not allowed by this category: '%{tags}'"
+      disallowed_tags_generic: "This topic has disallowed tags."
    cannot_delete:
      uncategorized: "This category is special. It is intended as a holding area for topics that have no category; it cannot be deleted."
      has_subcategories: "Can't delete this category because it has sub-categories."
@ -2227,7 +2228,7 @@ en:
    errors: "%{errors}"
    not_available: "Not available. Try %{suggestion}?"
    something_already_taken: "Something went wrong, perhaps the username or email is already registered. Try the forgot password link."
-    omniauth_error: 
+    omniauth_error:
      generic: "Sorry, there was an error authorizing your account. Please try again."
      csrf_detected: "Authorization timed out, or you have switched browsers. Please try again."
      request_error: "An error occured when starting authorization. Please try again."
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@ -1138,16 +1138,55 @@ RSpec.describe TopicsController do
            restricted_category.allowed_tags = [tag2.name]

            put "/t/#{topic.slug}/#{topic.id}.json", params: {
-              tags: [tag2],
+              tags: [tag2.name],
              category_id: category.id
            }

            result = ::JSON.parse(response.body)
            expect(response.status).to eq(422)
            expect(result['errors']).to be_present
+            expect(result['errors'][0]).to include(tag2.name)
            expect(topic.reload.category_id).not_to eq(restricted_category.id)
          end

+          it 'allows category change when topic has a hidden tag' do
+            Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [tag1.name])
+
+            put "/t/#{topic.slug}/#{topic.id}.json", params: {
+              category_id: category.id
+            }
+
+            result = ::JSON.parse(response.body)
+            expect(response.status).to eq(200)
+            expect(topic.reload.tags).to include(tag1)
+          end
+
+          it 'allows category change when topic has a read-only tag' do
+            Fabricate(:tag_group, permissions: { "staff" => 1, "everyone" => 3 }, tag_names: [tag1.name])
+
+            put "/t/#{topic.slug}/#{topic.id}.json", params: {
+              category_id: category.id
+            }
+
+            result = ::JSON.parse(response.body)
+            expect(response.status).to eq(200)
+            expect(topic.reload.tags).to include(tag1)
+          end
+
+          it 'does not leak tag name when trying to use a staff tag' do
+            Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [tag2.name])
+
+            put "/t/#{topic.slug}/#{topic.id}.json", params: {
+              tags: [tag2.name],
+              category_id: category.id
+            }
+
+            result = ::JSON.parse(response.body)
+            expect(response.status).to eq(422)
+            expect(result['errors']).to be_present
+            expect(result['errors'][0]).not_to include(tag2.name)
+          end
+
          it 'will clean tag params' do
            restricted_category.allowed_tags = [tag2.name]