SECURITY: Bring list of presets to backend (#14)

* SECURITY: Bring list of presets to backend * DEV: lint plugin.rb * DEV: Update plugin.rb to be more idiomatic
discourse · May 29, 2024 · ecbe14c · ecbe14c
1 parent 1d7357d
commit ecbe14c
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 17 deletions.
diff --git a/assets/javascripts/discourse/components/new-topic-dropdown.js b/assets/javascripts/discourse/components/new-topic-dropdown.js
@@ -19,22 +19,7 @@ export default DropdownSelectBoxComponent.extend({
   },
 
   content: computed("new-topic", function () {
-    const buttons = JSON.parse(this.siteSettings.button_types) || [];
-    const currentUserGroups = this.currentUser?.groups?.flatMap(
-      (group) => group.name
-    );
-
-    return buttons.filter((button) => {
-      const trimmedAccess = button.access.trim();
-      if (trimmedAccess.length === 0) {
-        return true;
-      }
-
-      const allowedGroups = trimmedAccess.split(/(?:,|\s)\s*/);
-      return allowedGroups.some((group) =>
-        currentUserGroups.includes(group.trim())
-      );
-    });
+    return this.currentUser.topic_preset_buttons;
   }),
 
   actions: {

diff --git a/plugin.rb b/plugin.rb
@@ -18,6 +18,17 @@ module ::DiscoursePresetTopicComposer
 register_asset "stylesheets/common/common.scss"
 
 after_initialize do
+  add_to_serializer(:current_user, :topic_preset_buttons) do
+    buttons = JSON.parse(SiteSetting.button_types) || []
+    current_user_groups = scope.user.groups.pluck(:name)
+
+    buttons.select do |button|
+      allowed_groups = button["access"].split(/(?:,|\s)\s*/)
+      allowed_groups.empty? ||
+        allowed_groups.any? { |group| current_user_groups.include?(group.strip) }
+    end
+  end
+
   add_permitted_post_create_param("tags_to_add", :hash)
   on(:topic_created) do |topic, opts, user|
     tag_groups = opts[:tags_to_add]

diff --git a/spec/system/preset_topic_composer_spec.rb b/spec/system/preset_topic_composer_spec.rb
@@ -48,7 +48,7 @@ def self.add_new_json(json)
         ],
         "showTags" => false,
         "tags" => "",
-        "access" => "",
+        "access" => admin.groups.first.name,
       },
     )
   end
@@ -76,6 +76,23 @@ def self.add_new_json(json)
       expect(preset_input.get_first_label).to eq(tag1.name)
     end
 
+    it "should be able to fetch only visible buttons" do
+      normal_user = Fabricate(:user)
+      sign_in(normal_user)
+      visit "/"
+      preset_dropdown = PageObjects::Components::PresetTopicDropdown.new
+      preset_dropdown.button.click
+      expect(page).not_to have_text("New Question3")
+
+      sign_in(admin)
+
+      visit "/"
+      preset_dropdown = PageObjects::Components::PresetTopicDropdown.new
+      preset_dropdown.button.click
+
+      expect(page).to have_text("New Question3")
+    end
+
     it "should create a topic with a preset" do
       visit "/"
       preset_dropdown = PageObjects::Components::PresetTopicDropdown.new