SECURITY: Check permissions when autocompleting mentions

This commit is contained in:
David Taylor 2019-10-28 12:20:26 +00:00
parent afea20953f
commit c38c37bcc3
2 changed files with 20 additions and 0 deletions

View File

@ -16,6 +16,7 @@ class UserSearch
@groups = opts[:groups] @groups = opts[:groups]
@guardian = Guardian.new(@searching_user) @guardian = Guardian.new(@searching_user)
@guardian.ensure_can_see_groups!(@groups) if @groups @guardian.ensure_can_see_groups!(@groups) if @groups
@guardian.ensure_can_see_topic! Topic.find(@topic_id) if @topic_id
end end
def scoped_users def scoped_users

View File

@ -158,4 +158,23 @@ describe UserSearch do
expect(results.map(&:username)).to eq(["mrpink", "mrorange"]) expect(results.map(&:username)).to eq(["mrpink", "mrorange"])
end end
it "only reveals topic participants to people with permission" do
pm_topic = Fabricate(:private_message_post).topic
# Anonymous, does not have access
expect do
search_for("", topic_id: pm_topic.id)
end.to raise_error(Discourse::InvalidAccess)
# Random user, does not have access
expect do
search_for("", topic_id: pm_topic.id, searching_user: user1)
end.to raise_error(Discourse::InvalidAccess)
pm_topic.invite(pm_topic.user, user1.username)
results = search_for("", topic_id: pm_topic.id, searching_user: user1)
expect(results.length).to eq(1)
expect(results[0]).to eq(pm_topic.user)
end
end end