Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: only show restricted tag lists to authorized users (#20005)
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
  • Loading branch information
nbianca and pmusaraj committed Jan 25, 2023
1 parent 3c6d938 commit ecb9aa5
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
3 changes: 2 additions & 1 deletion app/controllers/tags_controller.rb
Expand Up @@ -5,12 +5,13 @@ class TagsController < ::ApplicationController
include TopicQueryParams

before_action :ensure_tags_enabled
before_action :ensure_visible, only: %i[show info]

def self.show_methods
Discourse.anonymous_filters.map { |f| :"show_#{f}" }
end

before_action :ensure_visible, only: [:show, :info, *show_methods]

requires_login except: [:index, :show, :tag_feed, :search, :info, *show_methods]

skip_before_action :check_xhr, only: [:tag_feed, :show, :index, *show_methods]
Expand Down
24 changes: 24 additions & 0 deletions spec/requests/tags_controller_spec.rb
Expand Up @@ -634,6 +634,18 @@ def parse_topic_ids
expect(response.status).to eq(200)
end

it "returns a 404 when tag is restricted" do
tag_group = Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: ["test"])

get "/tag/test/l/latest.json"
expect(response.status).to eq(404)

sign_in(admin)

get "/tag/test/l/latest.json"
expect(response.status).to eq(200)
end

context "with muted tags" do
before do
TagUser.create!(
Expand Down Expand Up @@ -713,6 +725,18 @@ def parse_topic_ids
get "/tag/#{tag.name}/l/top.json?period=decadely"
expect(response.status).to eq(400)
end

it "returns a 404 if tag is restricted" do
tag_group = Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: ["test"])

get "/tag/test/l/top.json"
expect(response.status).to eq(404)

sign_in(admin)

get "/tag/test/l/top.json"
expect(response.status).to eq(200)
end
end

describe "#search" do
Expand Down

0 comments on commit ecb9aa5

Please sign in to comment.