SECURITY: Restrict message-bus access on login_required sites

This commit is contained in:
David Taylor 2019-08-13 14:44:22 +01:00
parent ab3e18090f
commit d237da16c5
3 changed files with 42 additions and 0 deletions

View File

@ -34,6 +34,12 @@ export default {
// we do not want to start anything till document is complete
messageBus.stop();
if (siteSettings.login_required && !user) {
// Endpoint is not available in this case, so don't try
return;
}
// jQuery ready is called on "interactive" we want "complete"
// Possibly change to document.addEventListener('readystatechange',...
// but would only stop a handful of interval, message bus being delayed by

View File

@ -37,6 +37,9 @@ def setup_message_bus_env(env)
Discourse.warn_exception(e, message: "Unexpected error in Message Bus")
end
user_id = user && user.id
raise Discourse::InvalidAccess if !user_id && SiteSetting.login_required
is_admin = !!(user && user.admin?)
group_ids = if is_admin
# special rule, admin is allowed access to all groups

View File

@ -0,0 +1,33 @@
# frozen_string_literal: true
require 'rails_helper'
describe 'message bus integration' do
it "allows anonymous requests to the messagebus" do
post "/message-bus/poll"
expect(response.status).to eq(200)
end
it "allows authenticated requests to the messagebus" do
sign_in Fabricate(:user)
post "/message-bus/poll"
expect(response.status).to eq(200)
end
context "with login_required" do
before { SiteSetting.login_required = true }
it "blocks anonymous requests to the messagebus" do
post "/message-bus/poll"
expect(response.status).to eq(403)
end
it "allows authenticated requests to the messagebus" do
sign_in Fabricate(:user)
post "/message-bus/poll"
expect(response.status).to eq(200)
end
end
end