From 2cd55b1fa237d5b8d5fe097749cf8a193f41a7a4 Mon Sep 17 00:00:00 2001
From: Neil Lalonde <neillalonde@gmail.com>
Date: Mon, 16 Jun 2014 15:11:58 -0400
Subject: [PATCH] FIX: topics in private sub-categories were visible to
 everyone on the categories page

---
 app/models/category_list.rb           |  4 ++--
 spec/components/category_list_spec.rb | 28 +++++++++++++++++++++++++--
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/app/models/category_list.rb b/app/models/category_list.rb
index 23bc06c057..b10c906556 100644
--- a/app/models/category_list.rb
+++ b/app/models/category_list.rb
@@ -92,7 +92,7 @@ class CategoryList
       if latest_post_only?
         @all_topics = []
         @categories.each do |c|
-          if c.latest_post && c.latest_post.topic
+          if c.latest_post && c.latest_post.topic && @guardian.can_see?(c.latest_post.topic)
             c.displayable_topics = [c.latest_post.topic]
             topic = c.latest_post.topic
             topic.include_last_poster = true # hint for serialization
@@ -108,7 +108,7 @@ class CategoryList
             c.displayable_topics = []
             topics_in_cat.each do |topic_id|
               topic = @topics_by_id[topic_id]
-              if topic.present?
+              if topic.present? && @guardian.can_see?(topic)
                 topic.category = c
                 c.displayable_topics << topic
               end
diff --git a/spec/components/category_list_spec.rb b/spec/components/category_list_spec.rb
index 5c394bb8e9..b508c1b969 100644
--- a/spec/components/category_list_spec.rb
+++ b/spec/components/category_list_spec.rb
@@ -9,8 +9,6 @@ describe CategoryList do
 
   context "security" do
     it "properly hide secure categories" do
-      user = Fabricate(:user)
-
       cat = Fabricate(:category)
       Fabricate(:topic, category: cat)
       cat.set_permissions(:admins => :full)
@@ -21,6 +19,32 @@ describe CategoryList do
       CategoryList.new(Guardian.new user).categories.count.should == 0
       CategoryList.new(Guardian.new nil).categories.count.should == 0
     end
+
+    it "doesn't show topics that you can't view" do
+      public_cat = Fabricate(:category) # public category
+      Fabricate(:topic, category: public_cat)
+
+      private_cat = Fabricate(:category) # private category
+      Fabricate(:topic, category: private_cat)
+      private_cat.set_permissions(admins: :full)
+      private_cat.save
+
+      secret_subcat = Fabricate(:category, parent_category_id: public_cat.id) # private subcategory
+      Fabricate(:topic, category: secret_subcat)
+      secret_subcat.set_permissions(admins: :full)
+      secret_subcat.save
+
+      CategoryFeaturedTopic.feature_topics
+
+      CategoryList.new(Guardian.new(admin)).categories.find { |x| x.name == public_cat.name }.displayable_topics.count.should == 2
+      CategoryList.new(Guardian.new(admin)).categories.find { |x| x.name == private_cat.name }.displayable_topics.count.should == 1
+
+      CategoryList.new(Guardian.new(user)).categories.find { |x| x.name == public_cat.name }.displayable_topics.count.should == 1
+      CategoryList.new(Guardian.new(user)).categories.find { |x| x.name == private_cat.name }.should be_nil
+
+      CategoryList.new(Guardian.new(nil)).categories.find { |x| x.name == public_cat.name }.displayable_topics.count.should == 1
+      CategoryList.new(Guardian.new(nil)).categories.find { |x| x.name == private_cat.name }.should be_nil
+    end
   end
 
   context "with a category" do