Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-28 09:18:55 +08:00
Code Packages Activity Actions
discourse/spec/serializers/topic_tracking_state_item_serializer_spec.rb
Alan Guo Xiang Tan 67b1b9ca5e
FIX: Don't emit tag names/slugs in topic tracking state (#40117) 
`TopicTrackingState.report` aggregates the tags on each tracked topic
into a JSON array via
`JSON_AGG`,
emitting `id`, `name`, and `slug` for every tag with no visibility
filter. Topic visibility and tag visibility are independent in
Discourse: a user can be allowed to see a topic while being restricted
from one of its tags. Standard topic
serializers filter via `Topic#visible_tags` and `guardian.hidden_tag_names`,
but the tracking-state path did not, leaking hidden tag names and slugs
to non-staff users for any topic that was new or unread for them.

This commit drops `name` and `slug` from the `JSON_AGG` in
`tags_included_wrapped_sql`, leaving only `id`. The client only reads
`tag.id` from these payloads, and the existing MessageBus publish paths
`publish_new`, `publish_latest`, `publish_unread`
already emit id-only tag objects. Since the names and slugs are no
longer fetched from the database, they cannot be sent to the client.
This avoids adding a new visibility filter on a query that runs on every
authenticated page load.

The JOIN to `tags` is kept so orphaned `topic_tags` rows (the table has
no DB-level foreign key, only Rails `dependent: :destroy`) do not
surface in the payload.
2026-05-19 05:07:17 +08:00

38 lines
1.3 KiB
Ruby
Vendored
Raw Permalink Blame History

# frozen_string_literal: true
RSpec.describe TopicTrackingStateItemSerializer do
fab!(:user)
fab!(:post) { create_post }
it "serializes topic tracking state reports" do
report = TopicTrackingState.report(user)
serialized = described_class.new(report[0], scope: Guardian.new(user), root: false).as_json
expect(serialized[:topic_id]).to eq(post.topic_id)
expect(serialized[:highest_post_number]).to eq(post.topic.highest_post_number)
expect(serialized[:last_read_post_number]).to eq(nil)
expect(serialized[:created_at]).to be_present
expect(serialized[:notification_level]).to eq(nil)
expect(serialized[:created_in_new_period]).to eq(true)
expect(serialized[:treat_as_new_topic_start_date]).to be_present
end
it "includes tags attribute when `tagging_enabled` site setting is `true`" do
SiteSetting.tagging_enabled = true
post.topic.notifier.watch_topic!(post.topic.user_id)
DiscourseTagging.tag_topic_by_names(
post.topic,
Guardian.new(Discourse.system_user),
%w[bananas apples],
)
report = TopicTrackingState.report(user)
serialized = described_class.new(report[0], scope: Guardian.new(user), root: false).as_json
expect(serialized[:tags].map { |t| t["id"] }).to contain_exactly(
*Tag.where(name: %w[bananas apples]).pluck(:id),
)
end
end
View git blame Copy permalink