From 089d38e9d3bcffdffbb87e35815bf75fc7c726b4 Mon Sep 17 00:00:00 2001
From: Mark VanLandingham <mark.vanlandingham@discourse.org>
Date: Thu, 30 Jan 2020 10:00:49 -0600
Subject: [PATCH] FIX: Disallow featuring hidden topics (#8814)

---
 app/services/topic_status_updater.rb   |  4 ++++
 lib/guardian/user_guardian.rb          |  1 +
 spec/models/topic_spec.rb              | 13 +++++++++----
 spec/requests/users_controller_spec.rb |  7 +++++++
 4 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/app/services/topic_status_updater.rb b/app/services/topic_status_updater.rb
index 8c7489d8c2..f3aa541199 100644
--- a/app/services/topic_status_updater.rb
+++ b/app/services/topic_status_updater.rb
@@ -42,6 +42,10 @@ TopicStatusUpdater = Struct.new(:topic, :user) do
       DiscourseEvent.trigger(:topic_closed, topic)
     end
 
+    if status.visible? && status.disabled?
+      UserProfile.remove_featured_topic_from_all_profiles(topic)
+    end
+
     if @topic_status_update
       if status.manually_closing_topic? || status.closing_topic?
         topic.delete_topic_timer(TopicTimer.types[:close])
diff --git a/lib/guardian/user_guardian.rb b/lib/guardian/user_guardian.rb
index 6b28d5d8f3..776d536ef1 100644
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@@ -127,6 +127,7 @@ module UserGuardian
   def can_feature_topic?(user, topic)
     return false if !SiteSetting.allow_featured_topic_on_user_profiles?
     return false if !is_me?(user) && !is_staff?
+    return false if !topic.visible
     return false if topic.read_restricted_category? || topic.private_message?
     true
   end
diff --git a/spec/models/topic_spec.rb b/spec/models/topic_spec.rb
index b6494b209e..73bfdc330b 100644
--- a/spec/models/topic_spec.rb
+++ b/spec/models/topic_spec.rb
@@ -986,16 +986,21 @@ describe Topic do
 
     context 'visibility' do
       context 'disable' do
-        before do
+        it 'should not be visible and have correct counts' do
           topic.update_status('visible', false, @user)
           topic.reload
-        end
-
-        it 'should not be visible and have correct counts' do
           expect(topic).not_to be_visible
           expect(topic.moderator_posts_count).to eq(1)
           expect(topic.bumped_at.to_f).to be_within(1e-4).of(@original_bumped_at)
         end
+
+        it 'removes itself as featured topic on user profiles' do
+          user.user_profile.update(featured_topic_id: topic.id)
+          expect(user.user_profile.featured_topic).to eq(topic)
+
+          topic.update_status('visible', false, @user)
+          expect(user.user_profile.reload.featured_topic).to eq(nil)
+        end
       end
 
       context 'enable' do
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 7e487b649e..2a692fa159 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -3923,6 +3923,13 @@ describe UsersController do
         expect(response.status).to eq(403)
       end
 
+      it "returns an error if the topic is not visible" do
+        sign_in(user)
+        topic.update_status('visible', false, user)
+        put "/u/#{user.username}/feature-topic.json", params: { topic_id: topic.id }
+        expect(response.status).to eq(403)
+      end
+
       it "returns an error if the topic's category is read_restricted" do
         sign_in(user)
         category.set_permissions({})