SECURITY: TopicView not correctly restricting to topic

2024-11-22 09:42:02 +08:00 · 2014-05-29 21:55:55 +10:00 · 2014-05-29 21:55:55 +10:00 · 2ad756464e
commit 2ad756464e
parent cc473f1c5d
2 changed files with 24 additions and 12 deletions
--- a/lib/topic_view.rb
+++ b/lib/topic_view.rb
@ -276,7 +276,7 @@ class TopicView

  def filter_posts_by_ids(post_ids)
    # TODO: Sort might be off
-    @posts = Post.where(id: post_ids)
+    @posts = Post.where(id: post_ids, topic_id: @topic.id)
                 .includes(:user)
                 .includes(:reply_to_user)
                 .order('sort_order')
--- a/spec/components/topic_view_spec.rb
+++ b/spec/components/topic_view_spec.rb
@ -221,7 +221,7 @@ describe TopicView do
    let!(:p3) { Fabricate(:post, topic: topic, user: first_poster)}

    before do
-      SiteSetting.stubs(:posts_per_page).returns(3)
+      SiteSetting.posts_per_page = 3

      # Update them to the sort order we're checking for
      [p1, p2, p3, p4, p5, p6].each_with_index do |p, idx|
@ -233,21 +233,33 @@ describe TopicView do
    end

    describe "contains_gaps?" do
-      it "does not contain contains_gaps with default filtering" do
+      it "works" do
+        # does not contain contains_gaps with default filtering
        topic_view.contains_gaps?.should be_false
-      end
-
-      it "contains contains_gaps when filtered by username" do
+        # contains contains_gaps when filtered by username" do
        TopicView.new(topic.id, coding_horror, username_filters: ['eviltrout']).contains_gaps?.should be_true
-      end
-
-      it "contains contains_gaps when filtered by summary" do
+        # contains contains_gaps when filtered by summary
        TopicView.new(topic.id, coding_horror, filter: 'summary').contains_gaps?.should be_true
-      end
-
-      it "contains contains_gaps when filtered by best" do
+        # contains contains_gaps when filtered by best
        TopicView.new(topic.id, coding_horror, best: 5).contains_gaps?.should be_true
      end
+    end
+
+    it "#restricts to correct topic" do
+      t2 = Fabricate(:topic)
+
+      category = Fabricate(:category, name: "my test")
+      category.set_permissions(Group[:admins] => :full)
+      category.save
+
+      topic.category_id = category.id
+      topic.save!
+
+      expect{
+        TopicView.new(topic.id, coding_horror).posts.count
+      }.to raise_error(Discourse::InvalidAccess)
+
+      TopicView.new(t2.id, coding_horror, post_ids: [p1.id,p2.id]).posts.count.should == 0

    end