SECURITY: Hide restricted tags in noscript view

The hidden tags are usually filtered out by the serializer, but the
noscript view uses the topic objects instead of the serialized objects.
This commit is contained in:
Bianca Nenciu 2023-07-28 12:56:39 +01:00 committed by David Taylor
parent 23c2fd5efe
commit 369f0f3335
No known key found for this signature in database
GPG Key ID: 46904C18B1D3F434
4 changed files with 35 additions and 6 deletions

View File

@ -2035,6 +2035,10 @@ class Topic < ActiveRecord::Base
end end
end end
def visible_tags(guardian)
tags.reject { |tag| guardian.hidden_tag_names.include?(tag[:name]) }
end
private private
def invite_to_private_message(invited_by, target_user, guardian) def invite_to_private_message(invited_by, target_user, guardian)

View File

@ -26,17 +26,20 @@ module TopicTagsMixin
def all_tags def all_tags
return @tags if defined?(@tags) return @tags if defined?(@tags)
tags = topic.visible_tags(scope)
# Calling method `pluck` or `order` along with `includes` causing N+1 queries # Calling method `pluck` or `order` along with `includes` causing N+1 queries
tags = tags =
( (
if SiteSetting.tags_sort_alphabetically if SiteSetting.tags_sort_alphabetically
topic.tags.sort_by(&:name) tags.sort_by(&:name)
else else
topic_count_column = Tag.topic_count_column(scope) topic_count_column = Tag.topic_count_column(scope)
topic.tags.sort_by { |tag| tag.public_send(topic_count_column) }.reverse tags.sort_by { |tag| tag.public_send(topic_count_column) }.reverse
end end
) )
tags = tags.reject { |tag| scope.hidden_tag_names.include?(tag[:name]) } if !scope.is_staff?
@tags = tags @tags = tags
end end
end end

View File

@ -70,11 +70,11 @@
</span> </span>
</a> </a>
<% end %> <% end %>
<% if t.tags %> <% if tags = t.visible_tags(guardian) %>
<div class="discourse-tags"> <div class="discourse-tags">
<% t.tags.each_with_index do |tag, index| %> <% tags.each_with_index do |tag, index| %>
<a href='<%= tag.full_url %>' class='discourse-tag'><%= tag.name %></a> <a href='<%= tag.full_url %>' class='discourse-tag'><%= tag.name %></a>
<% if index < t.tags.size - 1 %>,&nbsp;<% end %> <% if index < tags.size - 1 %>,&nbsp;<% end %>
<% end %> <% end %>
</div> </div>
<% end %> <% end %>

View File

@ -151,6 +151,28 @@ RSpec.describe ListController do
expect(new_sql_queries_count).to be <= initial_sql_queries_count expect(new_sql_queries_count).to be <= initial_sql_queries_count
end end
context "with topics with tags" do
let(:tag_group) { Fabricate.build(:tag_group) }
let(:tag_group_permission) { Fabricate.build(:tag_group_permission, tag_group: tag_group) }
let(:restricted_tag) { Fabricate(:tag) }
let(:public_tag) { Fabricate(:tag) }
before do
tag_group.tag_group_permissions << tag_group_permission
tag_group.save!
tag_group_permission.tag_group.tags << restricted_tag
topic.tags << [public_tag, restricted_tag]
end
it "does not show hidden tags" do
get "/latest"
expect(response.status).to eq(200)
expect(response.body).to include(public_tag.name)
expect(response.body).not_to include(restricted_tag.name)
end
end
end end
describe "categories and X" do describe "categories and X" do