SECURITY: Any group can be invited into a PM.

2024-12-16 07:56:44 +08:00 · 2017-12-14 15:07:48 +08:00 · 2017-12-14 15:07:48 +08:00 · 6d475a15a8
commit 6d475a15a8
parent 5748ad6f66
3 changed files with 48 additions and 17 deletions
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -471,7 +471,7 @@ class TopicsController < ApplicationController
    topic = Topic.find_by(id: params[:topic_id])
    if topic.private_message?
-      guardian.ensure_can_send_private_message!(group)
+      guardian.ensure_can_invite_group_to_private_message!(group, topic)
      topic.invite_group(current_user, group)
      render_json_dump BasicGroupSerializer.new(group, scope: guardian, root: 'group')
    else
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -269,6 +269,11 @@ class Guardian
    is_admin? || (authenticated? && @user.id == user_id)
  end
  def can_invite_group_to_private_message?(group, topic)
    can_see_topic?(topic) &&
    can_send_private_message?(group)
  end
  def can_send_private_message?(target)
    (target.is_a?(Group) || target.is_a?(User)) &&
    # User is authenticated
--- a/spec/controllers/topics_controller_spec.rb
+++ b/spec/controllers/topics_controller_spec.rb
@ -1011,31 +1011,57 @@ describe TopicsController do
  end
  describe 'invite_group' do
-    let :admins do
+    let(:admins) { Group[:admins] }
-      Group[:admins]
+    let(:pm) { Fabricate(:private_message_topic) }
    end
-    let! :admin do
+    def invite_group(topic, expected_status)
-      log_in :admin
+      xhr :post, :invite_group, topic_id: topic.id, group: admins.name
      expect(response.status).to eq(expected_status)
    end
    before do
-      admins.alias_level = Group::ALIAS_LEVELS[:everyone]
+      admins.update!(alias_level: Group::ALIAS_LEVELS[:everyone])
      admins.save!
    end
    describe 'as an anon user' do
      it 'should be forbidden' do
        invite_group(pm, 403)
      end
    end
    describe 'as a normal user' do
      let!(:user) { log_in }
      describe 'when user does not have permission to view the topic' do
        it 'should be forbidden' do
          invite_group(pm, 403)
        end
      end
      describe 'when user has permission to view the topic' do
        before do
          pm.allowed_users << user
        end
        it 'should allow user to invite group to topic' do
          invite_group(pm, 200)
          expect(pm.allowed_groups.first.id).to eq(admins.id)
        end
      end
    end
    describe 'as an admin user' do
      let!(:admin) { log_in(:admin) }
      it "disallows inviting a group to a topic" do
        topic = Fabricate(:topic)
-      xhr :post, :invite_group, topic_id: topic.id, group: 'admins'
+        invite_group(topic, 422)
      expect(response.status).to eq(422)
      end
      it "allows inviting a group to a PM" do
-      topic = Fabricate(:private_message_topic)
+        invite_group(pm, 200)
-      xhr :post, :invite_group, topic_id: topic.id, group: 'admins'
+        expect(pm.allowed_groups.first.id).to eq(admins.id)
-
+      end
      expect(response.status).to eq(200)
      expect(topic.allowed_groups.first.id).to eq(admins.id)
    end
  end