SECURITY: Check permissions when autocompleting mentions

2024-12-14 21:03:59 +08:00 · 2019-10-28 12:20:26 +00:00 · 2019-10-28 12:20:26 +00:00 · c38c37bcc3
commit c38c37bcc3
parent afea20953f
2 changed files with 20 additions and 0 deletions
--- a/app/models/user_search.rb
+++ b/app/models/user_search.rb
@ -16,6 +16,7 @@ class UserSearch
    @groups = opts[:groups]
    @guardian = Guardian.new(@searching_user)
    @guardian.ensure_can_see_groups!(@groups) if @groups
+    @guardian.ensure_can_see_topic! Topic.find(@topic_id) if @topic_id
  end

  def scoped_users
--- a/spec/models/user_search_spec.rb
+++ b/spec/models/user_search_spec.rb
@ -158,4 +158,23 @@ describe UserSearch do
    expect(results.map(&:username)).to eq(["mrpink", "mrorange"])
  end

+  it "only reveals topic participants to people with permission" do
+    pm_topic = Fabricate(:private_message_post).topic
+
+    # Anonymous, does not have access
+    expect do
+      search_for("", topic_id: pm_topic.id)
+    end.to raise_error(Discourse::InvalidAccess)
+
+    # Random user, does not have access
+    expect do
+      search_for("", topic_id: pm_topic.id, searching_user: user1)
+    end.to raise_error(Discourse::InvalidAccess)
+
+    pm_topic.invite(pm_topic.user, user1.username)
+    results = search_for("", topic_id: pm_topic.id, searching_user: user1)
+    expect(results.length).to eq(1)
+    expect(results[0]).to eq(pm_topic.user)
+  end
+
 end