mirror of
https://github.com/discourse/discourse.git
synced 2024-12-16 04:23:44 +08:00
SECURITY: Any group can be invited into a PM.
This commit is contained in:
parent
5748ad6f66
commit
6d475a15a8
|
@ -471,7 +471,7 @@ class TopicsController < ApplicationController
|
||||||
topic = Topic.find_by(id: params[:topic_id])
|
topic = Topic.find_by(id: params[:topic_id])
|
||||||
|
|
||||||
if topic.private_message?
|
if topic.private_message?
|
||||||
guardian.ensure_can_send_private_message!(group)
|
guardian.ensure_can_invite_group_to_private_message!(group, topic)
|
||||||
topic.invite_group(current_user, group)
|
topic.invite_group(current_user, group)
|
||||||
render_json_dump BasicGroupSerializer.new(group, scope: guardian, root: 'group')
|
render_json_dump BasicGroupSerializer.new(group, scope: guardian, root: 'group')
|
||||||
else
|
else
|
||||||
|
|
|
@ -269,6 +269,11 @@ class Guardian
|
||||||
is_admin? || (authenticated? && @user.id == user_id)
|
is_admin? || (authenticated? && @user.id == user_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def can_invite_group_to_private_message?(group, topic)
|
||||||
|
can_see_topic?(topic) &&
|
||||||
|
can_send_private_message?(group)
|
||||||
|
end
|
||||||
|
|
||||||
def can_send_private_message?(target)
|
def can_send_private_message?(target)
|
||||||
(target.is_a?(Group) || target.is_a?(User)) &&
|
(target.is_a?(Group) || target.is_a?(User)) &&
|
||||||
# User is authenticated
|
# User is authenticated
|
||||||
|
|
|
@ -1011,31 +1011,57 @@ describe TopicsController do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'invite_group' do
|
describe 'invite_group' do
|
||||||
let :admins do
|
let(:admins) { Group[:admins] }
|
||||||
Group[:admins]
|
let(:pm) { Fabricate(:private_message_topic) }
|
||||||
end
|
|
||||||
|
|
||||||
let! :admin do
|
def invite_group(topic, expected_status)
|
||||||
log_in :admin
|
xhr :post, :invite_group, topic_id: topic.id, group: admins.name
|
||||||
|
expect(response.status).to eq(expected_status)
|
||||||
end
|
end
|
||||||
|
|
||||||
before do
|
before do
|
||||||
admins.alias_level = Group::ALIAS_LEVELS[:everyone]
|
admins.update!(alias_level: Group::ALIAS_LEVELS[:everyone])
|
||||||
admins.save!
|
|
||||||
end
|
end
|
||||||
|
|
||||||
it "disallows inviting a group to a topic" do
|
describe 'as an anon user' do
|
||||||
topic = Fabricate(:topic)
|
it 'should be forbidden' do
|
||||||
xhr :post, :invite_group, topic_id: topic.id, group: 'admins'
|
invite_group(pm, 403)
|
||||||
expect(response.status).to eq(422)
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it "allows inviting a group to a PM" do
|
describe 'as a normal user' do
|
||||||
topic = Fabricate(:private_message_topic)
|
let!(:user) { log_in }
|
||||||
xhr :post, :invite_group, topic_id: topic.id, group: 'admins'
|
|
||||||
|
|
||||||
expect(response.status).to eq(200)
|
describe 'when user does not have permission to view the topic' do
|
||||||
expect(topic.allowed_groups.first.id).to eq(admins.id)
|
it 'should be forbidden' do
|
||||||
|
invite_group(pm, 403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'when user has permission to view the topic' do
|
||||||
|
before do
|
||||||
|
pm.allowed_users << user
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should allow user to invite group to topic' do
|
||||||
|
invite_group(pm, 200)
|
||||||
|
expect(pm.allowed_groups.first.id).to eq(admins.id)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'as an admin user' do
|
||||||
|
let!(:admin) { log_in(:admin) }
|
||||||
|
|
||||||
|
it "disallows inviting a group to a topic" do
|
||||||
|
topic = Fabricate(:topic)
|
||||||
|
invite_group(topic, 422)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "allows inviting a group to a PM" do
|
||||||
|
invite_group(pm, 200)
|
||||||
|
expect(pm.allowed_groups.first.id).to eq(admins.id)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user