mirror of
https://github.com/discourse/discourse.git
synced 2024-12-15 07:03:39 +08:00
SECURITY: Do not create a notification if a staged user post gets quoted/linked inside a restricted category
This commit is contained in:
parent
65831f4d3e
commit
733143cba3
|
@ -522,7 +522,7 @@ class PostAlerter
|
||||||
|
|
||||||
def notify_users(users, type, post, opts = {})
|
def notify_users(users, type, post, opts = {})
|
||||||
users = [users] unless users.is_a?(Array)
|
users = [users] unless users.is_a?(Array)
|
||||||
users = users.reject { |u| u.staged? } if post.topic&.private_message?
|
users.reject!(&:staged?) if post.topic&.private_message?
|
||||||
|
|
||||||
warn_if_not_sidekiq
|
warn_if_not_sidekiq
|
||||||
|
|
||||||
|
|
|
@ -142,7 +142,9 @@ module TopicGuardian
|
||||||
return authenticated? && topic.all_allowed_users.where(id: @user.id).exists?
|
return authenticated? && topic.all_allowed_users.where(id: @user.id).exists?
|
||||||
end
|
end
|
||||||
|
|
||||||
can_see_category?(topic.category)
|
category = topic.category
|
||||||
|
can_see_category?(category) &&
|
||||||
|
(!category.read_restricted || !is_staged? || topic.user == user)
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_see_topic_if_not_deleted?(topic)
|
def can_see_topic_if_not_deleted?(topic)
|
||||||
|
|
|
@ -257,6 +257,28 @@ describe PostAlerter do
|
||||||
end
|
end
|
||||||
expect(events).to include(event_name: :before_create_notifications_for_users, params: [[user], linking_post])
|
expect(events).to include(event_name: :before_create_notifications_for_users, params: [[user], linking_post])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "doesn't notify the linked user if the user is staged and the category is restricted" do
|
||||||
|
staged_user = Fabricate(:staged)
|
||||||
|
group = Fabricate(:group)
|
||||||
|
group_member = Fabricate(:user)
|
||||||
|
group.add(group_member)
|
||||||
|
|
||||||
|
private_category = Fabricate(
|
||||||
|
:private_category, group: group,
|
||||||
|
email_in: 'test@test.com', email_in_allow_strangers: true
|
||||||
|
)
|
||||||
|
|
||||||
|
staged_user_post = create_post(user: staged_user, category: private_category)
|
||||||
|
|
||||||
|
linking = create_post(
|
||||||
|
user: group_member,
|
||||||
|
category: private_category,
|
||||||
|
raw: "my magic topic\n##{Discourse.base_url}#{staged_user_post.url}")
|
||||||
|
|
||||||
|
staged_user.reload
|
||||||
|
expect(staged_user.notifications.where(notification_type: Notification.types[:linked]).count).to eq(0)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context '@group mentions' do
|
context '@group mentions' do
|
||||||
|
|
Loading…
Reference in New Issue
Block a user