mirror of
https://github.com/discourse/discourse.git
synced 2024-12-13 05:33:49 +08:00
SECURITY: Restrict message-bus access on login_required sites
This commit is contained in:
parent
ab3e18090f
commit
d237da16c5
|
@ -34,6 +34,12 @@ export default {
|
|||
|
||||
// we do not want to start anything till document is complete
|
||||
messageBus.stop();
|
||||
|
||||
if (siteSettings.login_required && !user) {
|
||||
// Endpoint is not available in this case, so don't try
|
||||
return;
|
||||
}
|
||||
|
||||
// jQuery ready is called on "interactive" we want "complete"
|
||||
// Possibly change to document.addEventListener('readystatechange',...
|
||||
// but would only stop a handful of interval, message bus being delayed by
|
||||
|
|
|
@ -37,6 +37,9 @@ def setup_message_bus_env(env)
|
|||
Discourse.warn_exception(e, message: "Unexpected error in Message Bus")
|
||||
end
|
||||
user_id = user && user.id
|
||||
|
||||
raise Discourse::InvalidAccess if !user_id && SiteSetting.login_required
|
||||
|
||||
is_admin = !!(user && user.admin?)
|
||||
group_ids = if is_admin
|
||||
# special rule, admin is allowed access to all groups
|
||||
|
|
33
spec/integration/message_bus_spec.rb
Normal file
33
spec/integration/message_bus_spec.rb
Normal file
|
@ -0,0 +1,33 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'rails_helper'
|
||||
|
||||
describe 'message bus integration' do
|
||||
|
||||
it "allows anonymous requests to the messagebus" do
|
||||
post "/message-bus/poll"
|
||||
expect(response.status).to eq(200)
|
||||
end
|
||||
|
||||
it "allows authenticated requests to the messagebus" do
|
||||
sign_in Fabricate(:user)
|
||||
post "/message-bus/poll"
|
||||
expect(response.status).to eq(200)
|
||||
end
|
||||
|
||||
context "with login_required" do
|
||||
before { SiteSetting.login_required = true }
|
||||
|
||||
it "blocks anonymous requests to the messagebus" do
|
||||
post "/message-bus/poll"
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
|
||||
it "allows authenticated requests to the messagebus" do
|
||||
sign_in Fabricate(:user)
|
||||
post "/message-bus/poll"
|
||||
expect(response.status).to eq(200)
|
||||
end
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue
Block a user