'New Topic' is active on staff-only tag pages

bartv · February 3, 2019, 10:13am

Users can create posts from staff-only tag pages (/tags/staff-only-tag). These go straight to moderation, but it seems it would be better to disable the new topic button on these pages.

codinghorror · February 3, 2019, 10:17am

Hmm that does feel like a bug. @nbianca could you have a look next week?

venarius · March 7, 2019, 8:52am

Wouldn’t it be a better idea to just display a 404 if the user isn’t supposed to see the tag because its part of a “Staff Only” group?

Suggested change:

# app/controllers/tags_controller.rb

def show
  unless TagGroup.visible(guardian).pluck(:id)&.include? Tag.find_by_name(params[:tag_id]).tag_groups.pluck(:id)
    raise Discourse::NotFound
  end

  show_latest
end

Any opinion on this? I would create a PR and also write some tests

zogstrip · March 7, 2019, 10:25am

Thanks for the help @venarius but @nbianca is already working on a fix.

nbianca · March 7, 2019, 11:18am

I have fixed both of the issues in this PR:

https://github.com/discourse/discourse/pull/6984

Topic		Replies	Views
Hide staff tags from non-staff users Feature	4	1875	May 27, 2016
Tags can be used by everyone causes tag to be usable only by staff Bug	5	1075	May 16, 2018
Non-Forum Staff Getting Notifications for Staff Only Tags Bug	2	3004	December 28, 2021
Tag groups page is available without authorization Bug	5	556	September 17, 2018
Tags which only staff can use! Support	2	473	December 21, 2022

'New Topic' is active on staff-only tag pages

Related topics