SECURITY: prevent topic list filtering by hidden tags for unathorized users

This fixes an issue where unathorized users were able to filter topics
by tags that are hidden from them.
This commit is contained in:
Penar Musaraj 2024-08-26 11:18:55 -04:00 committed by Alan Guo Xiang Tan
parent d7164d57ec
commit 92ac6be82a
No known key found for this signature in database
GPG Key ID: 286D2AB58F8C86B6
2 changed files with 43 additions and 1 deletions

View File

@ -1281,7 +1281,9 @@ class TopicQuery
if tags_arg && tags_arg.size > 0 if tags_arg && tags_arg.size > 0
tags_arg = tags_arg.split if String === tags_arg tags_arg = tags_arg.split if String === tags_arg
tags_query = tags_arg[0].is_a?(String) ? Tag.where_name(tags_arg) : Tag.where(id: tags_arg) tags_query = DiscourseTagging.visible_tags(@guardian)
tags_query =
tags_arg[0].is_a?(String) ? tags_query.where_name(tags_arg) : tags_query.where(id: tags_arg)
tags = tags_query.select(:id, :target_tag_id).map { |t| t.target_tag_id || t.id }.uniq tags = tags_query.select(:id, :target_tag_id).map { |t| t.target_tag_id || t.id }.uniq
if ActiveModel::Type::Boolean.new.cast(@options[:match_all_tags]) if ActiveModel::Type::Boolean.new.cast(@options[:match_all_tags])

View File

@ -573,6 +573,46 @@ RSpec.describe TopicQuery do
tagged_topic3, tagged_topic3,
) )
end end
context "with hidden tags" do
let(:hidden_tag) { Fabricate(:tag, name: "hidden") }
let!(:staff_tag_group) do
Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [hidden_tag.name])
end
let!(:topic_with_hidden_tag) { Fabricate(:topic, tags: [tag, hidden_tag]) }
it "returns topics with hidden tag to admin" do
expect(
TopicQuery.new(admin, tags: hidden_tag.name).list_latest.topics,
).to contain_exactly(topic_with_hidden_tag)
end
it "doesn't return topics with hidden tags to anon" do
expect(TopicQuery.new(nil, tags: hidden_tag.name).list_latest.topics).to be_empty
end
it "doesn't return topic with hidden tags to non-staff" do
expect(TopicQuery.new(user, tags: hidden_tag.name).list_latest.topics).to be_empty
end
it "returns topics with hidden tag to admin when using match_all_tags" do
expect(
TopicQuery
.new(admin, tags: [tag.name, hidden_tag.name], match_all_tags: true)
.list_latest
.topics,
).to contain_exactly(topic_with_hidden_tag)
end
it "doesn't return topic with hidden tags to non-staff when using match_all_tags" do
expect(
TopicQuery
.new(user, tags: [tag.name, hidden_tag.name], match_all_tags: true)
.list_latest
.topics,
).to be_empty
end
end
end end
context "when remove_muted_tags is enabled" do context "when remove_muted_tags is enabled" do