SECURITY: Do not create a notification if a staged user post gets quoted/linked inside a restricted category

This commit is contained in:
Roman Rizzi 2020-01-16 15:17:16 -03:00 committed by romanrizzi
parent 65831f4d3e
commit 733143cba3
3 changed files with 26 additions and 2 deletions

View File

@ -522,7 +522,7 @@ class PostAlerter
def notify_users(users, type, post, opts = {})
users = [users] unless users.is_a?(Array)
users = users.reject { |u| u.staged? } if post.topic&.private_message?
users.reject!(&:staged?) if post.topic&.private_message?
warn_if_not_sidekiq

View File

@ -142,7 +142,9 @@ module TopicGuardian
return authenticated? && topic.all_allowed_users.where(id: @user.id).exists?
end
can_see_category?(topic.category)
category = topic.category
can_see_category?(category) &&
(!category.read_restricted || !is_staged? || topic.user == user)
end
def can_see_topic_if_not_deleted?(topic)

View File

@ -257,6 +257,28 @@ describe PostAlerter do
end
expect(events).to include(event_name: :before_create_notifications_for_users, params: [[user], linking_post])
end
it "doesn't notify the linked user if the user is staged and the category is restricted" do
staged_user = Fabricate(:staged)
group = Fabricate(:group)
group_member = Fabricate(:user)
group.add(group_member)
private_category = Fabricate(
:private_category, group: group,
email_in: 'test@test.com', email_in_allow_strangers: true
)
staged_user_post = create_post(user: staged_user, category: private_category)
linking = create_post(
user: group_member,
category: private_category,
raw: "my magic topic\n##{Discourse.base_url}#{staged_user_post.url}")
staged_user.reload
expect(staged_user.notifications.where(notification_type: Notification.types[:linked]).count).to eq(0)
end
end
context '@group mentions' do