FIX: Don't error out on nested topic show id param (#29274)

We're expecting the ID param to be something that neatly coerces into an ID. If we receive something like a nested parameter, this will blow up. (We already handle the case of arrays.)

This commit raises an InvalidParameters exception in the case of a nested ID.
This commit is contained in:
Ted Johansson 2024-10-18 14:37:52 +08:00 committed by GitHub
parent 9dafbe47dc
commit f8360f9665
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 7 additions and 1 deletions

View File

@ -51,7 +51,7 @@ class TopicsController < ApplicationController
end end
def show def show
if params[:id].is_a?(Array) if params[:id].is_a?(Array) || params[:id].is_a?(ActionController::Parameters)
raise Discourse::InvalidParameters.new("Show only accepts a single ID") raise Discourse::InvalidParameters.new("Show only accepts a single ID")
end end

View File

@ -2344,6 +2344,12 @@ RSpec.describe TopicsController do
expect(response.status).to eq(400) expect(response.status).to eq(400)
end end
it "does not raise an unhandled exception when receiving a nested ID parameter" do
get "/t/#{topic.id}/summary?id[foo]=a"
expect(response.status).to eq(400)
end
it "keeps the post_number parameter around when redirecting" do it "keeps the post_number parameter around when redirecting" do
get "/t/#{topic.slug}", params: { post_number: 42 } get "/t/#{topic.slug}", params: { post_number: 42 }
expect(response).to redirect_to(topic.relative_url + "/42") expect(response).to redirect_to(topic.relative_url + "/42")