github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-17 03:44:23 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Only publish PM reply messagebus notifications to allowed users

Browse Source
This commit is contained in:
David Taylor 2017-09-08 22:09:05 +01:00 committed by Robin Ward
parent d4d548a874
commit 7cd4880e24
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/models/post.rb
View File

@ -147,7 +147,13 @@ class Post < ActiveRecord::Base
}.merge(options)
if Topic.visible_post_types.include?(post_type)
MessageBus.publish(channel, msg, group_ids: topic.secure_group_ids)
if topic.archetype == Archetype.private_message
user_ids = User.where('admin or moderator').pluck(:id)
user_ids |= topic.allowed_users.pluck(:id)
MessageBus.publish(channel, msg, user_ids: user_ids)
else
MessageBus.publish(channel, msg, group_ids: topic.secure_group_ids)
end
else
user_ids = User.where('admin or moderator or id = ?', user_id).pluck(:id)
MessageBus.publish(channel, msg, user_ids: user_ids)