mirror of
https://github.com/discourse/discourse.git
synced 2024-12-14 20:33:49 +08:00
SECURITY: Check permissions when autocompleting mentions
This commit is contained in:
parent
afea20953f
commit
c38c37bcc3
|
@ -16,6 +16,7 @@ class UserSearch
|
|||
@groups = opts[:groups]
|
||||
@guardian = Guardian.new(@searching_user)
|
||||
@guardian.ensure_can_see_groups!(@groups) if @groups
|
||||
@guardian.ensure_can_see_topic! Topic.find(@topic_id) if @topic_id
|
||||
end
|
||||
|
||||
def scoped_users
|
||||
|
|
|
@ -158,4 +158,23 @@ describe UserSearch do
|
|||
expect(results.map(&:username)).to eq(["mrpink", "mrorange"])
|
||||
end
|
||||
|
||||
it "only reveals topic participants to people with permission" do
|
||||
pm_topic = Fabricate(:private_message_post).topic
|
||||
|
||||
# Anonymous, does not have access
|
||||
expect do
|
||||
search_for("", topic_id: pm_topic.id)
|
||||
end.to raise_error(Discourse::InvalidAccess)
|
||||
|
||||
# Random user, does not have access
|
||||
expect do
|
||||
search_for("", topic_id: pm_topic.id, searching_user: user1)
|
||||
end.to raise_error(Discourse::InvalidAccess)
|
||||
|
||||
pm_topic.invite(pm_topic.user, user1.username)
|
||||
results = search_for("", topic_id: pm_topic.id, searching_user: user1)
|
||||
expect(results.length).to eq(1)
|
||||
expect(results[0]).to eq(pm_topic.user)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user