From 733143cba3489cbf4fcad9cadf075ee48a71919d Mon Sep 17 00:00:00 2001 From: Roman Rizzi Date: Thu, 16 Jan 2020 15:17:16 -0300 Subject: [PATCH] SECURITY: Do not create a notification if a staged user post gets quoted/linked inside a restricted category --- app/services/post_alerter.rb | 2 +- lib/guardian/topic_guardian.rb | 4 +++- spec/services/post_alerter_spec.rb | 22 ++++++++++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/app/services/post_alerter.rb b/app/services/post_alerter.rb index 11ebd97faf5..2c63c65f083 100644 --- a/app/services/post_alerter.rb +++ b/app/services/post_alerter.rb @@ -522,7 +522,7 @@ class PostAlerter def notify_users(users, type, post, opts = {}) users = [users] unless users.is_a?(Array) - users = users.reject { |u| u.staged? } if post.topic&.private_message? + users.reject!(&:staged?) if post.topic&.private_message? warn_if_not_sidekiq diff --git a/lib/guardian/topic_guardian.rb b/lib/guardian/topic_guardian.rb index 242cfbdb4d1..98c0ff1115e 100644 --- a/lib/guardian/topic_guardian.rb +++ b/lib/guardian/topic_guardian.rb @@ -142,7 +142,9 @@ module TopicGuardian return authenticated? && topic.all_allowed_users.where(id: @user.id).exists? end - can_see_category?(topic.category) + category = topic.category + can_see_category?(category) && + (!category.read_restricted || !is_staged? || topic.user == user) end def can_see_topic_if_not_deleted?(topic) diff --git a/spec/services/post_alerter_spec.rb b/spec/services/post_alerter_spec.rb index 8db8dc02a7e..208e93f9266 100644 --- a/spec/services/post_alerter_spec.rb +++ b/spec/services/post_alerter_spec.rb @@ -257,6 +257,28 @@ describe PostAlerter do end expect(events).to include(event_name: :before_create_notifications_for_users, params: [[user], linking_post]) end + + it "doesn't notify the linked user if the user is staged and the category is restricted" do + staged_user = Fabricate(:staged) + group = Fabricate(:group) + group_member = Fabricate(:user) + group.add(group_member) + + private_category = Fabricate( + :private_category, group: group, + email_in: 'test@test.com', email_in_allow_strangers: true + ) + + staged_user_post = create_post(user: staged_user, category: private_category) + + linking = create_post( + user: group_member, + category: private_category, + raw: "my magic topic\n##{Discourse.base_url}#{staged_user_post.url}") + + staged_user.reload + expect(staged_user.notifications.where(notification_type: Notification.types[:linked]).count).to eq(0) + end end context '@group mentions' do