SECURITY: user summary could show topic links you have no permissions to

2025-02-22 07:42:11 +08:00 · 2016-01-28 11:12:12 +11:00 · 2016-01-28 11:12:12 +11:00 · b25e505fb7
commit b25e505fb7
parent 6a7bdfecc8
2 changed files with 40 additions and 2 deletions
--- a/app/models/user_summary.rb
+++ b/app/models/user_summary.rb
@ -16,6 +16,7 @@ class UserSummary
    Topic
      .secured(@guardian)
      .listable_topics
      .visible
      .where(user: @user)
      .order('like_count desc, created_at asc')
      .includes(:user, :category)
@ -25,12 +26,13 @@ class UserSummary
  def replies
    Post
      .secured(@guardian)
      .includes(:user, {topic: :category})
      .references(:topic)
      .merge(Topic.listable_topics.visible.secured(@guardian))
      .where(user: @user)
      .where('post_number > 1')
      .where('topics.archetype <> ?', Archetype.private_message)
      .order('posts.like_count desc, posts.created_at asc')
      .includes(:user, {topic: :category})
      .references(:topic)
      .limit(MAX_TOPICS)
  end
--- a/spec/models/user_summary_spec.rb
+++ b/spec/models/user_summary_spec.rb
@ -0,0 +1,36 @@
 require 'rails_helper'
 describe UserSummary do
  it "produces secure summaries" do
    topic = create_post.topic
    user = topic.user
    _reply = create_post(user: topic.user, topic: topic)
    summary = UserSummary.new(user, Guardian.new)
    expect(summary.topics.length).to eq(1)
    expect(summary.replies.length).to eq(1)
    topic.update_columns(deleted_at: Time.now)
    expect(summary.topics.length).to eq(0)
    expect(summary.replies.length).to eq(0)
    topic.update_columns(deleted_at: nil, visible: false)
    expect(summary.topics.length).to eq(0)
    expect(summary.replies.length).to eq(0)
    category = Fabricate(:category)
    topic.update_columns(category_id: category.id, deleted_at: nil, visible: true)
    category.set_permissions(staff: :full)
    category.save
    expect(summary.topics.length).to eq(0)
    expect(summary.replies.length).to eq(0)
  end
 end