From d237da16c5ec9d5330818c7c3a58530510b8f571 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Tue, 13 Aug 2019 14:44:22 +0100
Subject: [PATCH] SECURITY: Restrict message-bus access on login_required sites

---
 .../discourse/initializers/message-bus.js.es6 |  6 ++++
 config/initializers/004-message_bus.rb        |  3 ++
 spec/integration/message_bus_spec.rb          | 33 +++++++++++++++++++
 3 files changed, 42 insertions(+)
 create mode 100644 spec/integration/message_bus_spec.rb

diff --git a/app/assets/javascripts/discourse/initializers/message-bus.js.es6 b/app/assets/javascripts/discourse/initializers/message-bus.js.es6
index 6730825e8ab..960aaaaf1c9 100644
--- a/app/assets/javascripts/discourse/initializers/message-bus.js.es6
+++ b/app/assets/javascripts/discourse/initializers/message-bus.js.es6
@@ -34,6 +34,12 @@ export default {
 
     // we do not want to start anything till document is complete
     messageBus.stop();
+
+    if (siteSettings.login_required && !user) {
+      // Endpoint is not available in this case, so don't try
+      return;
+    }
+
     // jQuery ready is called on "interactive" we want "complete"
     // Possibly change to document.addEventListener('readystatechange',...
     // but would only stop a handful of interval, message bus being delayed by
diff --git a/config/initializers/004-message_bus.rb b/config/initializers/004-message_bus.rb
index a39b6ee782c..628d0c5a167 100644
--- a/config/initializers/004-message_bus.rb
+++ b/config/initializers/004-message_bus.rb
@@ -37,6 +37,9 @@ def setup_message_bus_env(env)
       Discourse.warn_exception(e, message: "Unexpected error in Message Bus")
     end
     user_id = user && user.id
+
+    raise Discourse::InvalidAccess if !user_id && SiteSetting.login_required
+
     is_admin = !!(user && user.admin?)
     group_ids = if is_admin
       # special rule, admin is allowed access to all groups
diff --git a/spec/integration/message_bus_spec.rb b/spec/integration/message_bus_spec.rb
new file mode 100644
index 00000000000..62db333df39
--- /dev/null
+++ b/spec/integration/message_bus_spec.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'message bus integration' do
+
+  it "allows anonymous requests to the messagebus" do
+    post "/message-bus/poll"
+    expect(response.status).to eq(200)
+  end
+
+  it "allows authenticated requests to the messagebus" do
+    sign_in Fabricate(:user)
+    post "/message-bus/poll"
+    expect(response.status).to eq(200)
+  end
+
+  context "with login_required" do
+    before { SiteSetting.login_required = true }
+
+    it "blocks anonymous requests to the messagebus" do
+      post "/message-bus/poll"
+      expect(response.status).to eq(403)
+    end
+
+    it "allows authenticated requests to the messagebus" do
+      sign_in Fabricate(:user)
+      post "/message-bus/poll"
+      expect(response.status).to eq(200)
+    end
+  end
+
+end