From 6d475a15a86f0fb0931d1ddc0d301cdd3eda6ab7 Mon Sep 17 00:00:00 2001 From: Guo Xiang Tan Date: Thu, 14 Dec 2017 15:07:48 +0800 Subject: [PATCH] SECURITY: Any group can be invited into a PM. --- app/controllers/topics_controller.rb | 2 +- lib/guardian.rb | 5 ++ spec/controllers/topics_controller_spec.rb | 58 ++++++++++++++++------ 3 files changed, 48 insertions(+), 17 deletions(-) diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb index c5930606039..0a75ffd98d6 100644 --- a/app/controllers/topics_controller.rb +++ b/app/controllers/topics_controller.rb @@ -471,7 +471,7 @@ class TopicsController < ApplicationController topic = Topic.find_by(id: params[:topic_id]) if topic.private_message? - guardian.ensure_can_send_private_message!(group) + guardian.ensure_can_invite_group_to_private_message!(group, topic) topic.invite_group(current_user, group) render_json_dump BasicGroupSerializer.new(group, scope: guardian, root: 'group') else diff --git a/lib/guardian.rb b/lib/guardian.rb index 8d4069328ad..4e9b7763ead 100644 --- a/lib/guardian.rb +++ b/lib/guardian.rb @@ -269,6 +269,11 @@ class Guardian is_admin? || (authenticated? && @user.id == user_id) end + def can_invite_group_to_private_message?(group, topic) + can_see_topic?(topic) && + can_send_private_message?(group) + end + def can_send_private_message?(target) (target.is_a?(Group) || target.is_a?(User)) && # User is authenticated diff --git a/spec/controllers/topics_controller_spec.rb b/spec/controllers/topics_controller_spec.rb index 27a87c43abc..7fb5046eb08 100644 --- a/spec/controllers/topics_controller_spec.rb +++ b/spec/controllers/topics_controller_spec.rb @@ -1011,31 +1011,57 @@ describe TopicsController do end describe 'invite_group' do - let :admins do - Group[:admins] - end + let(:admins) { Group[:admins] } + let(:pm) { Fabricate(:private_message_topic) } - let! :admin do - log_in :admin + def invite_group(topic, expected_status) + xhr :post, :invite_group, topic_id: topic.id, group: admins.name + expect(response.status).to eq(expected_status) end before do - admins.alias_level = Group::ALIAS_LEVELS[:everyone] - admins.save! + admins.update!(alias_level: Group::ALIAS_LEVELS[:everyone]) end - it "disallows inviting a group to a topic" do - topic = Fabricate(:topic) - xhr :post, :invite_group, topic_id: topic.id, group: 'admins' - expect(response.status).to eq(422) + describe 'as an anon user' do + it 'should be forbidden' do + invite_group(pm, 403) + end end - it "allows inviting a group to a PM" do - topic = Fabricate(:private_message_topic) - xhr :post, :invite_group, topic_id: topic.id, group: 'admins' + describe 'as a normal user' do + let!(:user) { log_in } - expect(response.status).to eq(200) - expect(topic.allowed_groups.first.id).to eq(admins.id) + describe 'when user does not have permission to view the topic' do + it 'should be forbidden' do + invite_group(pm, 403) + end + end + + describe 'when user has permission to view the topic' do + before do + pm.allowed_users << user + end + + it 'should allow user to invite group to topic' do + invite_group(pm, 200) + expect(pm.allowed_groups.first.id).to eq(admins.id) + end + end + end + + describe 'as an admin user' do + let!(:admin) { log_in(:admin) } + + it "disallows inviting a group to a topic" do + topic = Fabricate(:topic) + invite_group(topic, 422) + end + + it "allows inviting a group to a PM" do + invite_group(pm, 200) + expect(pm.allowed_groups.first.id).to eq(admins.id) + end end end