SECURITY: Hide restricted tags in noscript view

The hidden tags are usually filtered out by the serializer, but the noscript view uses the topic objects instead of the serialized objects.
2025-06-04 20:34:50 +08:00 · 2023-07-28 12:53:50 +01:00
parent dcc825bda5
commit 0736611423
4 changed files with 35 additions and 6 deletions
--- a/app/models/topic.rb
+++ b/app/models/topic.rb
@ -2045,6 +2045,10 @@ class Topic < ActiveRecord::Base
    private_message? && all_allowed_users.count > 2
  end

+  def visible_tags(guardian)
+    tags.reject { |tag| guardian.hidden_tag_names.include?(tag[:name]) }
+  end
+
  private

  def invite_to_private_message(invited_by, target_user, guardian)