SECURITY: User action route was returning too much data

2024-12-16 05:23:48 +08:00 · 2014-08-29 13:46:50 -04:00 · 2014-08-29 13:46:50 -04:00 · 8ced44a766
commit 8ced44a766
parent 9ad246affe
2 changed files with 5 additions and 4 deletions
--- a/app/assets/javascripts/discourse/models/user.js
+++ b/app/assets/javascripts/discourse/models/user.js
@ -256,9 +256,10 @@ Discourse.User = Discourse.Model.extend({
    var self = this,
        stream = this.get('stream');
    return Discourse.ajax("/user_actions/" + id + ".json", { cache: 'false' }).then(function(result) {
-      if (result) {
-        if ((self.get('stream.filter') || result.action_type) !== result.action_type) return;
-        var action = Discourse.UserAction.collapseStream([Discourse.UserAction.create(result)]);
+      if (result && result.user_action) {
+        var ua = result.user_action;
+        if ((self.get('stream.filter') || ua.action_type) !== ua.action_type) return;
+        var action = Discourse.UserAction.collapseStream([Discourse.UserAction.create(ua)]);
        stream.set('itemsLoaded', stream.get('itemsLoaded') + 1);
        stream.get('content').insertAt(0, action[0]);
      }
--- a/app/controllers/user_actions_controller.rb
+++ b/app/controllers/user_actions_controller.rb
@ -22,7 +22,7 @@ class UserActionsController < ApplicationController

  def show
    params.require(:id)
-    render json: UserAction.stream_item(params[:id], guardian)
+    render_serialized(UserAction.stream_item(params[:id], guardian), UserActionSerializer)
  end

  def private_messages