SECURITY: Restrict message-bus access on login_required sites

app/assets/javascripts/discourse/initializers/message-bus.js.es6

@@ -34,6 +34,12 @@ export default {
 
     // we do not want to start anything till document is complete
     messageBus.stop();
+
+    if (siteSettings.login_required && !user) {
+      // Endpoint is not available in this case, so don't try
+      return;
+    }
+
     // jQuery ready is called on "interactive" we want "complete"
     // Possibly change to document.addEventListener('readystatechange',...
     // but would only stop a handful of interval, message bus being delayed by

config/initializers/004-message_bus.rb

@@ -45,6 +45,9 @@ def setup_message_bus_env(env)
       Discourse.warn_exception(e, message: "Unexpected error in Message Bus")
     end
     user_id = user && user.id
+
+    raise Discourse::InvalidAccess if !user_id && SiteSetting.login_required
+
     is_admin = !!(user && user.admin?)
     group_ids = if is_admin
       # special rule, admin is allowed access to all groups

spec/integration/message_bus_spec.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'message bus integration' do
+
+  it "allows anonymous requests to the messagebus" do
+    post "/message-bus/poll"
+    expect(response.status).to eq(200)
+  end
+
+  it "allows authenticated requests to the messagebus" do
+    sign_in Fabricate(:user)
+    post "/message-bus/poll"
+    expect(response.status).to eq(200)
+  end
+
+  context "with login_required" do
+    before { SiteSetting.login_required = true }
+
+    it "blocks anonymous requests to the messagebus" do
+      post "/message-bus/poll"
+      expect(response.status).to eq(403)
+    end
+
+    it "allows authenticated requests to the messagebus" do
+      sign_in Fabricate(:user)
+      post "/message-bus/poll"
+      expect(response.status).to eq(200)
+    end
+  end
+
+end