mirror of
https://github.com/discourse/discourse.git
synced 2024-12-05 03:03:45 +08:00
0e69aeb276
Currently, `Tag#topic_count` is a count of all regular topics regardless of whether the topic is in a read restricted category or not. As a result, any users can technically poll a sensitive tag to determine if a new topic is created in a category which the user has not excess to. We classify this as a minor leak in sensitive information. The following changes are introduced in this commit: 1. Introduce `Tag#public_topic_count` which only count topics which have been tagged with a given tag in public categories. 2. Rename `Tag#topic_count` to `Tag#staff_topic_count` which counts the same way as `Tag#topic_count`. In other words, it counts all topics tagged with a given tag regardless of the category the topic is in. The rename is also done so that we indicate that this column contains sensitive information. 3. Change all previous spots which relied on `Topic#topic_count` to rely on `Tag.topic_column_count(guardian)` which will return the right "topic count" column to use based on the current scope. 4. Introduce `SiteSetting.include_secure_categories_in_tag_counts` site setting to allow site administrators to always display the tag topics count using `Tag#staff_topic_count` instead. |
||
|---|---|---|
| .. | ||
| cloud/cloud66 | ||
| environments | ||
| initializers | ||
| locales | ||
| application.rb | ||
| boot.rb | ||
| cdn.yml.sample | ||
| database.yml | ||
| deploy.rb.sample | ||
| dev_defaults.yml | ||
| discourse_defaults.conf | ||
| discourse.config.sample | ||
| discourse.pill.sample | ||
| environment.rb | ||
| logrotate.conf | ||
| multisite.yml.production-sample | ||
| nginx.global.conf | ||
| nginx.sample.conf | ||
| projections.json | ||
| puma.rb | ||
| routes.rb | ||
| sidekiq.yml | ||
| site_settings.yml | ||
| spring.rb | ||
| thin.yml.sample | ||
| unicorn_launcher | ||
| unicorn_upstart.conf | ||
| unicorn.conf.rb | ||