github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-01 01:55:46 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Show only visible tags in metadata

Browse Source 
Currently, the topic metadata show both public and private
tags whereas only visible ones should be exposed.
This commit is contained in:
Loïc Guitaut
2023-02-22 16:01:32 +01:00
committed by Loïc Guitaut
parent 5dbdcb3f23
commit a9f2c6db64
7 changed files with 53 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lib/topic_view.rb
View File

@ -244,9 +244,9 @@ class TopicView
if @topic.category_id != SiteSetting.uncategorized_category_id && @topic.category_id &&
@topic.category
title += " - #{@topic.category.name}"
elsif SiteSetting.tagging_enabled && @topic.tags.exists?
elsif SiteSetting.tagging_enabled && visible_tags.exists?
title +=
" - #{@topic.tags.order("tags.#{Tag.topic_count_column(@guardian)} DESC").first.name}"
" - #{visible_tags.order("tags.#{Tag.topic_count_column(@guardian)} DESC").first.name}"
end
end
title
@ -713,10 +713,6 @@ class TopicView
end
end
def tags
@topic.tags.map(&:name)
end
protected
def read_posts_set
@ -820,7 +816,7 @@ class TopicView
def find_topic(topic_or_topic_id)
return topic_or_topic_id if topic_or_topic_id.is_a?(Topic)
# with_deleted covered in #check_and_raise_exceptions
Topic.with_deleted.includes(:category, :tags).find_by(id: topic_or_topic_id)
Topic.with_deleted.includes(:category).find_by(id: topic_or_topic_id)
end
def unfiltered_posts
@ -990,4 +986,8 @@ class TopicView
end
end
end
def visible_tags
@visible_tags ||= topic.tags.visible(guardian)
end
end