From cd3904926238ebaa53d7be1724b9f2d9e86200fd Mon Sep 17 00:00:00 2001 From: Sam Saffron Date: Wed, 5 Apr 2017 08:28:24 -0400 Subject: [PATCH] SECURITY: do not send push notifications to suspended users --- app/services/post_alerter.rb | 2 +- spec/services/post_alerter_spec.rb | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/app/services/post_alerter.rb b/app/services/post_alerter.rb index 4f2d9026a72..014f5d0cfea 100644 --- a/app/services/post_alerter.rb +++ b/app/services/post_alerter.rb @@ -373,7 +373,7 @@ class PostAlerter post_action_id: opts[:post_action_id], data: notification_data.to_json) - if !existing_notification && NOTIFIABLE_TYPES.include?(type) + if !existing_notification && NOTIFIABLE_TYPES.include?(type) && !user.suspended? # we may have an invalid post somehow, dont blow up post_url = original_post.url rescue nil if post_url diff --git a/spec/services/post_alerter_spec.rb b/spec/services/post_alerter_spec.rb index ff160244f33..0b724d09a12 100644 --- a/spec/services/post_alerter_spec.rb +++ b/spec/services/post_alerter_spec.rb @@ -328,6 +328,26 @@ describe PostAlerter do let(:mention_post) { create_post_with_alerts(user: user, raw: 'Hello @eviltrout :heart:')} let(:topic) { mention_post.topic } + it "pushes nothing to suspended users" do + + SiteSetting.allowed_user_api_push_urls = "https://site.com/push|https://site2.com/push" + + evil_trout.update_columns(suspended_till: 1.year.from_now) + + 2.times do |i| + UserApiKey.create!(user_id: evil_trout.id, + client_id: "xxx#{i}", + key: "yyy#{i}", + application_name: "iPhone#{i}", + scopes: ['notifications'], + push_url: "https://site2.com/push") + end + + # should only happen once even though we are using 2 keys + RestClient.expects(:post).never + mention_post + end + it "correctly pushes notifications if configured correctly" do SiteSetting.allowed_user_api_push_urls = "https://site.com/push|https://site2.com/push"