mirror of
https://github.com/discourse/discourse.git
synced 2024-11-26 02:10:00 +08:00
SECURITY: Don't expose user post counts to users who can't see the topic (#19728)
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com> Co-authored-by: Daniel Waterworth <me@danielwaterworth.com> Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
This commit is contained in:
parent
c0e2d7bada
commit
cbcf8a064b
|
@ -72,7 +72,7 @@ class UsersController < ApplicationController
|
|||
user_serializer = serializer_class.new(@user, scope: guardian, root: 'user')
|
||||
|
||||
topic_id = params[:include_post_count_for].to_i
|
||||
if topic_id != 0
|
||||
if topic_id != 0 && guardian.can_see?(Topic.find_by_id(topic_id))
|
||||
user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count }
|
||||
end
|
||||
else
|
||||
|
|
|
@ -4201,6 +4201,15 @@ RSpec.describe UsersController do
|
|||
expect(topic_post_count[topic.id.to_s]).to eq(1)
|
||||
end
|
||||
|
||||
it "doesn't include the post count when the signed in user doesn't have access" do
|
||||
c = Fabricate(:category, read_restricted: true)
|
||||
topic.update(category_id: c.id)
|
||||
expect(Guardian.new(user1).can_see?(topic)).to eq(false)
|
||||
get "/u/#{admin.username}.json", params: { include_post_count_for: topic.id }
|
||||
topic_post_count = response.parsed_body.dig("user", "topic_post_count")
|
||||
expect(topic_post_count).to eq(nil)
|
||||
end
|
||||
|
||||
it "includes all post types for staff members" do
|
||||
SiteSetting.whispers_allowed_groups = "#{Group::AUTO_GROUPS[:staff]}"
|
||||
sign_in(admin)
|
||||
|
|
Loading…
Reference in New Issue
Block a user