this ensures that under no conditions PMs will be included

SamSaffron · SamSaffron · commit db3ca2c7d746 · 2025-05-15T17:36:53.000+10:00
diff --git a/lib/utils/research/filter.rb b/lib/utils/research/filter.rb
@@ -235,7 +235,12 @@ def limit_by_user!(limit)
         end
 
         def search
-          filtered = Post.secured(@guardian).joins(:topic).merge(Topic.secured(@guardian))
+          filtered =
+            Post
+              .secured(@guardian)
+              .joins(:topic)
+              .merge(Topic.secured(@guardian))
+              .where("topics.archetype = 'regular'")
           original_filtered = filtered
 
           @filters.each do |filter_block, match_data|
diff --git a/spec/lib/utils/research/filter_spec.rb b/spec/lib/utils/research/filter_spec.rb
@@ -2,7 +2,10 @@
 
 describe DiscourseAi::Utils::Research::Filter do
   describe "integration tests" do
-    before_all { SiteSetting.min_topic_title_length = 3 }
+    before_all do
+      SiteSetting.min_topic_title_length = 3
+      SiteSetting.min_personal_message_title_length = 3
+    end
 
     fab!(:user)
 
@@ -51,6 +54,46 @@
     fab!(:feature_bug_post) { Fabricate(:post, topic: feature_bug_topic, user: user) }
     fab!(:no_tag_post) { Fabricate(:post, topic: no_tag_topic, user: user) }
 
+    describe "security filtering" do
+      fab!(:secure_group) { Fabricate(:group) }
+      fab!(:secure_category) { Fabricate(:category, name: "Secure") }
+
+      fab!(:secure_topic) do
+        secure_category.set_permissions(secure_group => :readonly)
+        secure_category.save!
+        Fabricate(
+          :topic,
+          category: secure_category,
+          user: user,
+          title: "This is a secret Secret Topic",
+        )
+      end
+
+      fab!(:secure_post) { Fabricate(:post, topic: secure_topic, user: user) }
+
+      fab!(:pm_topic) { Fabricate(:private_message_topic, user: user) }
+      fab!(:pm_post) { Fabricate(:post, topic: pm_topic, user: user) }
+
+      it "omits secure categories when no guardian is supplied" do
+        filter = described_class.new("")
+        expect(filter.search.pluck(:id)).not_to include(secure_post.id)
+
+        user.groups << secure_group
+        guardian = Guardian.new(user)
+        filter_with_guardian = described_class.new("", guardian: guardian)
+        expect(filter_with_guardian.search.pluck(:id)).to include(secure_post.id)
+      end
+
+      it "omits PMs unconditionally" do
+        filter = described_class.new("")
+        expect(filter.search.pluck(:id)).not_to include(pm_post.id)
+
+        guardian = Guardian.new(user)
+        filter_with_guardian = described_class.new("", guardian: guardian)
+        expect(filter_with_guardian.search.pluck(:id)).not_to include(pm_post.id)
+      end
+    end
+
     describe "tag filtering" do
       it "correctly filters posts by tags" do
         filter = described_class.new("tag:feature")
