mirror of
https://github.com/discourse/discourse.git
synced 2025-01-18 11:02:46 +08:00
security issue, anon and logged in users could see the fact that a user sent another user a pm (but could not see the pm itself or title)
This commit is contained in:
parent
baa2ab8604
commit
ad93fc959c
|
@ -15,6 +15,10 @@ class PostActionType < ActiveRecord::Base
|
|||
@auto_action_flag_types ||= flag_types.except(:notify_user, :notify_moderators)
|
||||
end
|
||||
|
||||
def public_types
|
||||
@public_types ||= types.except(*flag_types.keys << :notify_user)
|
||||
end
|
||||
|
||||
def flag_types
|
||||
@flag_types ||= types.only(:off_topic, :spam, :inappropriate, :notify_moderators)
|
||||
end
|
||||
|
|
|
@ -7,6 +7,7 @@ class PostSerializer < BasicPostSerializer
|
|||
attr_accessor :add_raw
|
||||
attr_accessor :single_post_link_counts
|
||||
attr_accessor :draft_sequence
|
||||
attr_accessor :post_actions
|
||||
|
||||
attributes :post_number,
|
||||
:post_type,
|
||||
|
@ -152,8 +153,8 @@ class PostSerializer < BasicPostSerializer
|
|||
action_summary[:can_undo] = scope.can_delete?(post_actions[id])
|
||||
end
|
||||
|
||||
# anonymize flags
|
||||
if !scope.is_staff? && PostActionType.flag_types.values.include?(id)
|
||||
# only show public data
|
||||
unless scope.is_staff? || PostActionType.public_types.values.include?(id)
|
||||
action_summary[:count] = action_summary[:acted] ? 1 : 0
|
||||
end
|
||||
|
||||
|
|
|
@ -1,7 +1,43 @@
|
|||
require 'spec_helper'
|
||||
require_dependency 'post_action'
|
||||
|
||||
describe PostSerializer do
|
||||
|
||||
context "a post with lots of actions" do
|
||||
let(:post){Fabricate(:post)}
|
||||
let(:actor){Fabricate(:user)}
|
||||
let(:admin){Fabricate(:admin)}
|
||||
let(:acted_ids){
|
||||
PostActionType.public_types.values
|
||||
.concat([:notify_user,:spam]
|
||||
.map{|k| PostActionType.types[k]})
|
||||
}
|
||||
|
||||
def visible_actions_for(user)
|
||||
serializer = PostSerializer.new(post, scope: Guardian.new(user), root: false)
|
||||
# NOTE this is messy, we should extract all this logic elsewhere
|
||||
serializer.post_actions = PostAction.counts_for([post], actor)[post.id] if user.try(:id) == actor.id
|
||||
actions = serializer.as_json[:actions_summary]
|
||||
lookup = PostActionType.types.invert
|
||||
actions.keep_if{|a| a[:count] > 0}.map{|a| lookup[a[:id]]}
|
||||
end
|
||||
|
||||
before do
|
||||
acted_ids.each do|id|
|
||||
PostAction.act(actor, post, id)
|
||||
end
|
||||
post.reload
|
||||
end
|
||||
|
||||
it "displays the correct info" do
|
||||
visible_actions_for(actor).sort.should == [:like,:notify_user,:spam,:vote]
|
||||
visible_actions_for(post.user).sort.should == [:like,:vote]
|
||||
visible_actions_for(nil).sort.should == [:like,:vote]
|
||||
visible_actions_for(admin).sort.should == [:like,:notify_user,:spam,:vote]
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
context "a post by a nuked user" do
|
||||
let!(:post) { Fabricate(:post, user: Fabricate(:user), deleted_at: Time.zone.now) }
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user