From c38c37bcc342748cbb43c6ac0a68eecc74a8145b Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Mon, 28 Oct 2019 12:20:26 +0000
Subject: [PATCH] SECURITY: Check permissions when autocompleting mentions

---
 app/models/user_search.rb       |  1 +
 spec/models/user_search_spec.rb | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/app/models/user_search.rb b/app/models/user_search.rb
index 7b9f0b9a4dd..6b569107728 100644
--- a/app/models/user_search.rb
+++ b/app/models/user_search.rb
@@ -16,6 +16,7 @@ class UserSearch
     @groups = opts[:groups]
     @guardian = Guardian.new(@searching_user)
     @guardian.ensure_can_see_groups!(@groups) if @groups
+    @guardian.ensure_can_see_topic! Topic.find(@topic_id) if @topic_id
   end
 
   def scoped_users
diff --git a/spec/models/user_search_spec.rb b/spec/models/user_search_spec.rb
index 6d1ae9f8d81..99b3a0dc4f2 100644
--- a/spec/models/user_search_spec.rb
+++ b/spec/models/user_search_spec.rb
@@ -158,4 +158,23 @@ describe UserSearch do
     expect(results.map(&:username)).to eq(["mrpink", "mrorange"])
   end
 
+  it "only reveals topic participants to people with permission" do
+    pm_topic = Fabricate(:private_message_post).topic
+
+    # Anonymous, does not have access
+    expect do
+      search_for("", topic_id: pm_topic.id)
+    end.to raise_error(Discourse::InvalidAccess)
+
+    # Random user, does not have access
+    expect do
+      search_for("", topic_id: pm_topic.id, searching_user: user1)
+    end.to raise_error(Discourse::InvalidAccess)
+
+    pm_topic.invite(pm_topic.user, user1.username)
+    results = search_for("", topic_id: pm_topic.id, searching_user: user1)
+    expect(results.length).to eq(1)
+    expect(results[0]).to eq(pm_topic.user)
+  end
+
 end