From 4b54791bcccbb04ad0da2d2d7cedee9e298478ef Mon Sep 17 00:00:00 2001
From: mintsaxon <60171361+mintsaxon@users.noreply.github.com>
Date: Wed, 22 Jan 2020 21:33:25 +0200
Subject: [PATCH] FIX: Notify staged users about private categories (#8765)

group membership and `CategoryUser` notification level should be
respected to determine whether to notify staged users about activity in
private categories, instead of only ever generating notifications for staged
users' own topics (which has been the behaviour since
0c4ac2a7bc726176b1d76b98f789a35e5d1bddfc)
---
 lib/guardian/topic_guardian.rb     |  2 +-
 spec/services/post_alerter_spec.rb | 30 +++++++++++++++++++++++++++++-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/lib/guardian/topic_guardian.rb b/lib/guardian/topic_guardian.rb
index d8b1cac419..938560b09b 100644
--- a/lib/guardian/topic_guardian.rb
+++ b/lib/guardian/topic_guardian.rb
@@ -154,7 +154,7 @@ module TopicGuardian
 
     category = topic.category
     can_see_category?(category) &&
-      (!category.read_restricted || !is_staged? || topic.user == user)
+      (!category.read_restricted || !is_staged? || secure_category_ids.include?(category.id) || topic.user == user)
   end
 
   def can_get_access_to_topic?(topic)
diff --git a/spec/services/post_alerter_spec.rb b/spec/services/post_alerter_spec.rb
index c7338d5788..c98125a521 100644
--- a/spec/services/post_alerter_spec.rb
+++ b/spec/services/post_alerter_spec.rb
@@ -258,7 +258,7 @@ describe PostAlerter do
       expect(events).to include(event_name: :before_create_notifications_for_users, params: [[user], linking_post])
     end
 
-    it "doesn't notify the linked user if the user is staged and the category is restricted" do
+    it "doesn't notify the linked user if the user is staged and the category is restricted and allows strangers" do
       staged_user = Fabricate(:staged)
       group = Fabricate(:group)
       group_member = Fabricate(:user)
@@ -990,6 +990,34 @@ describe PostAlerter do
           PostAlerter.post_created(whispered_post)
         }.not_to add_notification(user, :posted)
       end
+
+      it "notifies a staged user about a private post, but only if the user has access" do
+        staged_member = Fabricate(:staged)
+        staged_non_member = Fabricate(:staged)
+        group = Fabricate(:group)
+        group_member = Fabricate(:user)
+
+        group.add(group_member)
+        group.add(staged_member)
+
+        private_category = Fabricate(
+          :private_category, group: group,
+                             email_in: 'test@test.com', email_in_allow_strangers: false
+        )
+
+        level = CategoryUser.notification_levels[:watching]
+        CategoryUser.set_notification_level_for_category(group_member, level, private_category.id)
+        CategoryUser.set_notification_level_for_category(staged_member, level, private_category.id)
+        CategoryUser.set_notification_level_for_category(staged_non_member, level, private_category.id)
+
+        topic = Fabricate(:topic, category: private_category, user: group_member)
+        post = Fabricate(:post, topic: topic)
+
+        expect {
+          PostAlerter.post_created(post)
+        }.to add_notification(staged_member, :posted)
+          .and not_add_notification(staged_non_member, :posted)
+      end
     end
   end