mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 06:03:38 +08:00
SECURITY: Hide restricted tags in noscript view
The hidden tags are usually filtered out by the serializer, but the noscript view uses the topic objects instead of the serialized objects.
This commit is contained in:
parent
23c2fd5efe
commit
369f0f3335
|
@ -2035,6 +2035,10 @@ class Topic < ActiveRecord::Base
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def visible_tags(guardian)
|
||||||
|
tags.reject { |tag| guardian.hidden_tag_names.include?(tag[:name]) }
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def invite_to_private_message(invited_by, target_user, guardian)
|
def invite_to_private_message(invited_by, target_user, guardian)
|
||||||
|
|
|
@ -26,17 +26,20 @@ module TopicTagsMixin
|
||||||
|
|
||||||
def all_tags
|
def all_tags
|
||||||
return @tags if defined?(@tags)
|
return @tags if defined?(@tags)
|
||||||
|
|
||||||
|
tags = topic.visible_tags(scope)
|
||||||
|
|
||||||
# Calling method `pluck` or `order` along with `includes` causing N+1 queries
|
# Calling method `pluck` or `order` along with `includes` causing N+1 queries
|
||||||
tags =
|
tags =
|
||||||
(
|
(
|
||||||
if SiteSetting.tags_sort_alphabetically
|
if SiteSetting.tags_sort_alphabetically
|
||||||
topic.tags.sort_by(&:name)
|
tags.sort_by(&:name)
|
||||||
else
|
else
|
||||||
topic_count_column = Tag.topic_count_column(scope)
|
topic_count_column = Tag.topic_count_column(scope)
|
||||||
topic.tags.sort_by { |tag| tag.public_send(topic_count_column) }.reverse
|
tags.sort_by { |tag| tag.public_send(topic_count_column) }.reverse
|
||||||
end
|
end
|
||||||
)
|
)
|
||||||
tags = tags.reject { |tag| scope.hidden_tag_names.include?(tag[:name]) } if !scope.is_staff?
|
|
||||||
@tags = tags
|
@tags = tags
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -70,11 +70,11 @@
|
||||||
</span>
|
</span>
|
||||||
</a>
|
</a>
|
||||||
<% end %>
|
<% end %>
|
||||||
<% if t.tags %>
|
<% if tags = t.visible_tags(guardian) %>
|
||||||
<div class="discourse-tags">
|
<div class="discourse-tags">
|
||||||
<% t.tags.each_with_index do |tag, index| %>
|
<% tags.each_with_index do |tag, index| %>
|
||||||
<a href='<%= tag.full_url %>' class='discourse-tag'><%= tag.name %></a>
|
<a href='<%= tag.full_url %>' class='discourse-tag'><%= tag.name %></a>
|
||||||
<% if index < t.tags.size - 1 %>, <% end %>
|
<% if index < tags.size - 1 %>, <% end %>
|
||||||
<% end %>
|
<% end %>
|
||||||
</div>
|
</div>
|
||||||
<% end %>
|
<% end %>
|
||||||
|
|
|
@ -151,6 +151,28 @@ RSpec.describe ListController do
|
||||||
|
|
||||||
expect(new_sql_queries_count).to be <= initial_sql_queries_count
|
expect(new_sql_queries_count).to be <= initial_sql_queries_count
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context "with topics with tags" do
|
||||||
|
let(:tag_group) { Fabricate.build(:tag_group) }
|
||||||
|
let(:tag_group_permission) { Fabricate.build(:tag_group_permission, tag_group: tag_group) }
|
||||||
|
let(:restricted_tag) { Fabricate(:tag) }
|
||||||
|
let(:public_tag) { Fabricate(:tag) }
|
||||||
|
|
||||||
|
before do
|
||||||
|
tag_group.tag_group_permissions << tag_group_permission
|
||||||
|
tag_group.save!
|
||||||
|
tag_group_permission.tag_group.tags << restricted_tag
|
||||||
|
topic.tags << [public_tag, restricted_tag]
|
||||||
|
end
|
||||||
|
|
||||||
|
it "does not show hidden tags" do
|
||||||
|
get "/latest"
|
||||||
|
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(response.body).to include(public_tag.name)
|
||||||
|
expect(response.body).not_to include(restricted_tag.name)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "categories and X" do
|
describe "categories and X" do
|
||||||
|
|
Loading…
Reference in New Issue
Block a user