Skip to content

Commit f55e0fe

Browse files
SECURITY: Update to exclude tag topic filter (#20006)
Ignores tags specified in exclude_tag topics param that a user does not have access to. Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
1 parent 105fee9 commit f55e0fe

File tree

2 files changed

+19
-8
lines changed

2 files changed

+19
-8
lines changed

Diff for: lib/topic_query.rb

+11-8
Original file line numberDiff line numberDiff line change
@@ -735,14 +735,17 @@ def default_results(options = {})
735735
result = result.where.not(id: TopicTag.distinct.pluck(:topic_id))
736736
end
737737

738-
result = result.where(<<~SQL, name: @options[:exclude_tag]) if @options[:exclude_tag].present?
739-
topics.id NOT IN (
740-
SELECT topic_tags.topic_id
741-
FROM topic_tags
742-
INNER JOIN tags ON tags.id = topic_tags.tag_id
743-
WHERE tags.name = :name
744-
)
745-
SQL
738+
if @options[:exclude_tag].present? &&
739+
!DiscourseTagging.hidden_tag_names(@guardian).include?(@options[:exclude_tag])
740+
result = result.where(<<~SQL, name: @options[:exclude_tag])
741+
topics.id NOT IN (
742+
SELECT topic_tags.topic_id
743+
FROM topic_tags
744+
INNER JOIN tags ON tags.id = topic_tags.tag_id
745+
WHERE tags.name = :name
746+
)
747+
SQL
748+
end
746749
end
747750

748751
result = apply_ordering(result, options)

Diff for: spec/lib/topic_query_spec.rb

+8
Original file line numberDiff line numberDiff line change
@@ -409,13 +409,21 @@
409409
fab!(:tagged_topic3) { Fabricate(:topic, tags: [tag, other_tag]) }
410410
fab!(:tagged_topic4) { Fabricate(:topic, tags: [uppercase_tag]) }
411411
fab!(:no_tags_topic) { Fabricate(:topic) }
412+
fab!(:tag_group) do
413+
Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [other_tag.name])
414+
end
412415
let(:synonym) { Fabricate(:tag, target_tag: tag, name: "synonym") }
413416

414417
it "excludes a tag if desired" do
415418
topics = TopicQuery.new(moderator, exclude_tag: tag.name).list_latest.topics
416419
expect(topics.any? { |t| t.tags.include?(tag) }).to eq(false)
417420
end
418421

422+
it "does not exclude a tagged topic without permission" do
423+
topics = TopicQuery.new(user, exclude_tag: other_tag.name).list_latest.topics
424+
expect(topics.map(&:id)).to include(tagged_topic2.id)
425+
end
426+
419427
it "returns topics with the tag when filtered to it" do
420428
expect(TopicQuery.new(moderator, tags: tag.name).list_latest.topics).to contain_exactly(
421429
tagged_topic1,

0 commit comments

Comments
 (0)