FIX: don't allow category and tag tracking settings on staged users (PR #13688)

Configuring staged users to watch categories and tags is a way to sign them up to get many emails. These emails may be unwanted and get marked as spam, hurting the site’s email deliverability. Users can opt-in to email notifications by logging on to their account and configuring their own preferences.

If staff need to be able to configure these preferences on behalf of staged users, the “allow changing staged user tracking” site setting can be enabled. Default is to not allow it.


I don’t think we should include this in the user web hook yet as this is doesn’t really provide any benefit for the webhook.

    (SiteSetting.allow_changing_staged_user_tracking || !user.staged) && can_edit_user?(user)

I flipped the conditions around based on which is cheaper to call.

  describe "#can_change_tracking_preferences?" do
    fab!(:staged_user) { Fabricate(:staged) }
    fab!(:admin_user) { Fabricate(:admin) }
        it "doesn't update muted categories and watched tags" do
          expect(TagUser.exist?(user_id: eq(false)
          expect(CategoryUser.exist?(user_id: eq(false)
        it "updates muted categories and watched tags" do
            notification_level: TagUser.notification_levels[:watching]
          )).to eq(true)
            notification_level: CategoryUser.notification_levels[:muted]
          )).to eq(true)

I left some suggestions but in general the PR looks good to me.

All tests don’t need both users.

Actually this code was removing it from the serializer. It is excluding attrs from the base serializer. I’ll put it back.

Minor but if you are only using this in a template you can use the (and helper now which will eliminate some code.

I was aware that was possible, but couldn’t find an example of it. TIL it’s (and.