mirror of
https://github.com/discourse/discourse.git
synced 2024-12-15 08:13:45 +08:00
SECURITY: Check permissions when autocompleting mentions
This commit is contained in:
parent
afea20953f
commit
c38c37bcc3
|
@ -16,6 +16,7 @@ class UserSearch
|
||||||
@groups = opts[:groups]
|
@groups = opts[:groups]
|
||||||
@guardian = Guardian.new(@searching_user)
|
@guardian = Guardian.new(@searching_user)
|
||||||
@guardian.ensure_can_see_groups!(@groups) if @groups
|
@guardian.ensure_can_see_groups!(@groups) if @groups
|
||||||
|
@guardian.ensure_can_see_topic! Topic.find(@topic_id) if @topic_id
|
||||||
end
|
end
|
||||||
|
|
||||||
def scoped_users
|
def scoped_users
|
||||||
|
|
|
@ -158,4 +158,23 @@ describe UserSearch do
|
||||||
expect(results.map(&:username)).to eq(["mrpink", "mrorange"])
|
expect(results.map(&:username)).to eq(["mrpink", "mrorange"])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "only reveals topic participants to people with permission" do
|
||||||
|
pm_topic = Fabricate(:private_message_post).topic
|
||||||
|
|
||||||
|
# Anonymous, does not have access
|
||||||
|
expect do
|
||||||
|
search_for("", topic_id: pm_topic.id)
|
||||||
|
end.to raise_error(Discourse::InvalidAccess)
|
||||||
|
|
||||||
|
# Random user, does not have access
|
||||||
|
expect do
|
||||||
|
search_for("", topic_id: pm_topic.id, searching_user: user1)
|
||||||
|
end.to raise_error(Discourse::InvalidAccess)
|
||||||
|
|
||||||
|
pm_topic.invite(pm_topic.user, user1.username)
|
||||||
|
results = search_for("", topic_id: pm_topic.id, searching_user: user1)
|
||||||
|
expect(results.length).to eq(1)
|
||||||
|
expect(results[0]).to eq(pm_topic.user)
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue
Block a user