SECURITY: Show only visible tags in metadata

Currently, the topic metadata show both public and private tags whereas only visible ones should be exposed.
2025-05-31 16:57:16 +08:00 · 2023-02-22 16:01:32 +01:00
parent 5dbdcb3f23
commit a9f2c6db64
7 changed files with 53 additions and 22 deletions
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@ -2507,6 +2507,28 @@ RSpec.describe TopicsController do
        expect(body).to have_tag(:script, src: "/assets/discourse.js")
        expect(body).to have_tag(:meta, with: { name: "fragment" })
      end
+
+      context "with restricted tags" do
+        let(:tag_group) { Fabricate.build(:tag_group) }
+        let(:tag_group_permission) { Fabricate.build(:tag_group_permission, tag_group: tag_group) }
+        let(:restricted_tag) { Fabricate(:tag) }
+        let(:public_tag) { Fabricate(:tag) }
+
+        before do
+          # avoid triggering a `before_create` callback in `TagGroup` which
+          # messes with permissions
+          tag_group.tag_group_permissions << tag_group_permission
+          tag_group.save!
+          tag_group_permission.tag_group.tags << restricted_tag
+          topic.tags << [public_tag, restricted_tag]
+        end
+
+        it "doesn’t expose restricted tags" do
+          get "/t/#{topic.slug}/#{topic.id}/print", headers: { HTTP_USER_AGENT: "Rails Testing" }
+          expect(response.body).to match(public_tag.name)
+          expect(response.body).not_to match(restricted_tag.name)
+        end
+      end
    end

    it "records redirects" do