Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Filter tags in user notifications for visibility (#19239)
  • Loading branch information
danielwaterworth committed Nov 29, 2022
1 parent 0cc6e67 commit 84c83e8
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 6 deletions.
12 changes: 7 additions & 5 deletions app/mailers/user_notifications.rb
Expand Up @@ -533,11 +533,13 @@ def send_notification_email(opts)

# tag names
if opts[:show_tags_in_subject] && post.topic_id

tags = Tag.joins(:topic_tags)
.where("topic_tags.topic_id = ?", post.topic_id)
.limit(3)
.pluck(:name)
tags =
DiscourseTagging
.visible_tags(Guardian.new(user))
.joins(:topic_tags)
.where("topic_tags.topic_id = ?", post.topic_id)
.limit(3)
.pluck(:name)

show_tags_in_subject = tags.any? ? tags.join(" ") : nil
end
Expand Down
11 changes: 10 additions & 1 deletion spec/mailers/user_notifications_spec.rb
Expand Up @@ -298,7 +298,13 @@
let(:category) { Fabricate(:category, name: 'India') }
let(:tag1) { Fabricate(:tag, name: 'Taggo') }
let(:tag2) { Fabricate(:tag, name: 'Taggie') }
let(:topic) { Fabricate(:topic, category: category, tags: [tag1, tag2], title: "Super cool topic") }

let(:hidden_tag) { Fabricate(:tag, name: "hidden") }
let!(:hidden_tag_group) do
Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [hidden_tag.name])
end

let(:topic) { Fabricate(:topic, category: category, tags: [tag1, tag2, hidden_tag], title: "Super cool topic") }
let(:post) { Fabricate(:post, topic: topic, raw: 'This is My super duper cool topic') }
let(:response) { Fabricate(:basic_reply, topic: post.topic, user: response_by_user) }
let(:user) { Fabricate(:user) }
Expand Down Expand Up @@ -377,6 +383,9 @@
expect(mail_html.scan(/>Bob Marley/).count).to eq(1)
expect(mail_html.scan(/>bobmarley/).count).to eq(0)

expect(mail.subject.scan(/#{tag1.name}/).count).to eq(1)
expect(mail.subject.scan(/#{hidden_tag.name}/).count).to eq(0)

SiteSetting.prioritize_username_in_ux = true

mail = UserNotifications.user_replied(
Expand Down

0 comments on commit 84c83e8

Please sign in to comment.