From d25ca2a468ecc5521efb1c35e7258faf514073ec Mon Sep 17 00:00:00 2001
From: Roman Rizzi <rizziromanalejandro@gmail.com>
Date: Tue, 18 Oct 2022 15:19:54 -0300
Subject: [PATCH] FIX: Exclude hidden topic posts and small actions from the
 RSS feed. (#18649)

This commit excludes posts from hidden topics from the latest posts and user activity RSS feeds. Additionally, it also excludes small actions from the first one.
---
 app/controllers/posts_controller.rb    |  3 ++
 spec/requests/posts_controller_spec.rb | 50 ++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
index 520aab3bcc..c404cb6969 100644
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -79,6 +79,8 @@ class PostsController < ApplicationController
       rss_description = I18n.t("rss_description.private_posts")
     else
       posts = Post.public_posts
+        .visible
+        .where(post_type: Post.types[:regular])
         .order(created_at: :desc)
         .where('posts.id <= ?', last_post_id)
         .where('posts.id > ?', last_post_id - 50)
@@ -122,6 +124,7 @@ class PostsController < ApplicationController
     raise Discourse::NotFound unless guardian.can_see_profile?(user)
 
     posts = Post.public_posts
+      .visible
       .where(user_id: user.id)
       .where(post_type: Post.types[:regular])
       .order(created_at: :desc)
diff --git a/spec/requests/posts_controller_spec.rb b/spec/requests/posts_controller_spec.rb
index 348a5d026a..a7ffbdb8be 100644
--- a/spec/requests/posts_controller_spec.rb
+++ b/spec/requests/posts_controller_spec.rb
@@ -2063,6 +2063,29 @@ RSpec.describe PostsController do
       expect(body).to include(public_post.url)
     end
 
+    it "doesn't include posts from hidden topics" do
+      public_post.topic.update!(visible: false)
+
+      get "/u/#{user.username}/activity.rss"
+
+      expect(response.status).to eq(200)
+
+      body = response.body
+      expect(body).not_to include(public_post.url)
+    end
+
+    it "excludes small actions" do
+      small_action = Fabricate(:small_action, user: user)
+
+      get "/u/#{user.username}/activity.rss"
+
+      expect(response.status).to eq(200)
+
+      body = response.body
+
+      expect(body).not_to include(small_action.canonical_url)
+    end
+
     it 'returns public posts as JSON' do
       public_post
       private_post
@@ -2164,6 +2187,33 @@ RSpec.describe PostsController do
         expect(body).to_not include(private_post.url)
       end
 
+      it "doesn't include posts from hidden topics" do
+        public_post.topic.update!(visible: false)
+
+        get "/posts.rss"
+
+        expect(response.status).to eq(200)
+
+        body = response.body
+
+        # we cache in redis, in rare cases this can cause a flaky test
+        PostsHelper.clear_canonical_cache!(public_post)
+
+        expect(body).not_to include(public_post.canonical_url)
+      end
+
+      it "excludes small actions" do
+        small_action = Fabricate(:small_action)
+
+        get "/posts.rss"
+
+        expect(response.status).to eq(200)
+
+        body = response.body
+
+        expect(body).not_to include(small_action.canonical_url)
+      end
+
       it 'returns public posts with topic for json' do
         topicless_post.update topic_id: -100