mirror of
https://github.com/discourse/discourse.git
synced 2024-12-14 14:38:33 +08:00
SECURITY: Do not create a notification if a staged user post gets quoted/linked inside a restricted category
This commit is contained in:
parent
65831f4d3e
commit
733143cba3
|
@ -522,7 +522,7 @@ class PostAlerter
|
|||
|
||||
def notify_users(users, type, post, opts = {})
|
||||
users = [users] unless users.is_a?(Array)
|
||||
users = users.reject { |u| u.staged? } if post.topic&.private_message?
|
||||
users.reject!(&:staged?) if post.topic&.private_message?
|
||||
|
||||
warn_if_not_sidekiq
|
||||
|
||||
|
|
|
@ -142,7 +142,9 @@ module TopicGuardian
|
|||
return authenticated? && topic.all_allowed_users.where(id: @user.id).exists?
|
||||
end
|
||||
|
||||
can_see_category?(topic.category)
|
||||
category = topic.category
|
||||
can_see_category?(category) &&
|
||||
(!category.read_restricted || !is_staged? || topic.user == user)
|
||||
end
|
||||
|
||||
def can_see_topic_if_not_deleted?(topic)
|
||||
|
|
|
@ -257,6 +257,28 @@ describe PostAlerter do
|
|||
end
|
||||
expect(events).to include(event_name: :before_create_notifications_for_users, params: [[user], linking_post])
|
||||
end
|
||||
|
||||
it "doesn't notify the linked user if the user is staged and the category is restricted" do
|
||||
staged_user = Fabricate(:staged)
|
||||
group = Fabricate(:group)
|
||||
group_member = Fabricate(:user)
|
||||
group.add(group_member)
|
||||
|
||||
private_category = Fabricate(
|
||||
:private_category, group: group,
|
||||
email_in: 'test@test.com', email_in_allow_strangers: true
|
||||
)
|
||||
|
||||
staged_user_post = create_post(user: staged_user, category: private_category)
|
||||
|
||||
linking = create_post(
|
||||
user: group_member,
|
||||
category: private_category,
|
||||
raw: "my magic topic\n##{Discourse.base_url}#{staged_user_post.url}")
|
||||
|
||||
staged_user.reload
|
||||
expect(staged_user.notifications.where(notification_type: Notification.types[:linked]).count).to eq(0)
|
||||
end
|
||||
end
|
||||
|
||||
context '@group mentions' do
|
||||
|
|
Loading…
Reference in New Issue
Block a user