github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-21 08:42:39 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Add permissions to MessageBus in chat (stable)

Browse Source 
Add spec

compact
This commit is contained in:
Jan Cernik 2023-10-16 10:51:23 -04:00 committed by Penar Musaraj
parent 5d7d607b5f
commit 265b3dbb4c
No known key found for this signature in database
GPG Key ID: E390435D881FF0F7
2 changed files with 47 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
plugins/chat/app/services/chat/publisher.rb
View File

@ -60,6 +60,7 @@ module Chat
{ scope: anonymous_guardian, root: false },
).as_json,
},
permissions(chat_channel),
)
end
@ -484,8 +485,11 @@ module Chat
private
def self.permissions(chat_channel)
{ user_ids: chat_channel.allowed_user_ids, group_ids: chat_channel.allowed_group_ids }
def self.permissions(channel)
{
user_ids: channel.allowed_user_ids.presence,
group_ids: channel.allowed_group_ids.presence,
}.compact
end
def self.anonymous_guardian

87
plugins/chat/spec/services/chat/publisher_spec.rb
View File

@ -181,32 +181,6 @@ describe Chat::Publisher do
end
end
context "when a staged thread has been provided" do
fab!(:thread) do
Fabricate(
:chat_thread,
original_message: Fabricate(:chat_message, chat_channel: channel),
channel: channel,
)
end
before { message_1.update!(thread: thread) }
it "generates the correct targets" do
targets =
described_class.calculate_publish_targets(
channel,
message_1,
staged_thread_id: "stagedthreadid",
)
expect(targets).to contain_exactly(
"/chat/#{channel.id}/thread/#{thread.id}",
"/chat/#{channel.id}/thread/stagedthreadid",
)
end
end
context "when the message is a thread reply" do
fab!(:thread) do
Fabricate(
@ -255,6 +229,13 @@ describe Chat::Publisher do
},
)
end
it "calls MessageBus with the correct permissions" do
MessageBus.stubs(:publish)
MessageBus.expects(:publish).with("/chat/#{channel.id}", anything, {})
described_class.publish_new!(channel, message_1, staged_id)
end
end
context "when the message is a thread reply" do
@ -279,27 +260,41 @@ describe Chat::Publisher do
expect(messages).not_to be_empty
end
context "if threading_enabled is true for the channel" do
before { channel.update!(threading_enabled: true) }
it "calls MessageBus with the correct permissions" do
MessageBus.stubs(:publish)
MessageBus.expects(:publish).with("/chat/#{channel.id}", anything, {})
it "does publish to the new_messages_message_bus_channel" do
messages =
MessageBus.track_publish(
described_class.new_messages_message_bus_channel(channel.id),
) { described_class.publish_new!(channel, message_1, staged_id) }
expect(messages.first.data).to eq(
{
type: "thread",
channel_id: channel.id,
thread_id: thread.id,
message:
Chat::MessageSerializer.new(
message_1,
{ scope: Guardian.new(nil), root: false },
).as_json,
},
)
end
described_class.publish_new!(channel, message_1, staged_id)
end
end
context "if threading_enabled is true for the channel" do
before { channel.update!(threading_enabled: true) }
it "does publish to the new_messages_message_bus_channel" do
messages =
MessageBus.track_publish(
described_class.new_messages_message_bus_channel(channel.id),
) { described_class.publish_new!(channel, message_1, staged_id) }
expect(messages.first.data).to eq(
{
type: "thread",
channel_id: channel.id,
thread_id: thread.id,
message:
Chat::MessageSerializer.new(
message_1,
{ scope: Guardian.new(nil), root: false },
).as_json,
},
)
end
it "calls MessageBus with the correct permissions" do
MessageBus.stubs(:publish)
MessageBus.expects(:publish).with("/chat/#{channel.id}", anything, {})
described_class.publish_new!(channel, message_1, staged_id)
end
end
end