'New Topic' is active on staff-only tag pages

bartv · February 3, 2019, 10:13am

Users can create posts from staff-only tag pages (/tags/staff-only-tag). These go straight to moderation, but it seems it would be better to disable the new topic button on these pages.

codinghorror · February 3, 2019, 10:17am

Hmm that does feel like a bug. @nbianca could you have a look next week?

venarius · March 7, 2019, 8:52am

Wouldn’t it be a better idea to just display a 404 if the user isn’t supposed to see the tag because its part of a “Staff Only” group?

Suggested change:

# app/controllers/tags_controller.rb

def show
  unless TagGroup.visible(guardian).pluck(:id)&.include? Tag.find_by_name(params[:tag_id]).tag_groups.pluck(:id)
    raise Discourse::NotFound
  end

  show_latest
end

Any opinion on this? I would create a PR and also write some tests

zogstrip · March 7, 2019, 10:25am

Thanks for the help @venarius but @nbianca is already working on a fix.

nbianca · March 7, 2019, 11:18am

I have fixed both of the issues in this PR:

https://github.com/discourse/discourse/pull/6984

Topic		Replies	Views
Hide staff tags from non-staff users feature	4	1833	May 27, 2016
Tags can be used by everyone causes tag to be usable only by staff bug	5	975	May 16, 2018
Non-Forum Staff Getting Notifications for Staff Only Tags bug	2	2716	December 28, 2021
Tag groups page is available without authorization bug	5	522	September 17, 2018
Tags which only staff can use! support	2	418	December 21, 2022

'New Topic' is active on staff-only tag pages

Related Topics