mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 12:12:26 +08:00
FIX: Don't error out on nested topic show id param (#29274)
We're expecting the ID param to be something that neatly coerces into an ID. If we receive something like a nested parameter, this will blow up. (We already handle the case of arrays.) This commit raises an InvalidParameters exception in the case of a nested ID.
This commit is contained in:
parent
9dafbe47dc
commit
f8360f9665
|
@ -51,7 +51,7 @@ class TopicsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def show
|
def show
|
||||||
if params[:id].is_a?(Array)
|
if params[:id].is_a?(Array) || params[:id].is_a?(ActionController::Parameters)
|
||||||
raise Discourse::InvalidParameters.new("Show only accepts a single ID")
|
raise Discourse::InvalidParameters.new("Show only accepts a single ID")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -2344,6 +2344,12 @@ RSpec.describe TopicsController do
|
||||||
expect(response.status).to eq(400)
|
expect(response.status).to eq(400)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "does not raise an unhandled exception when receiving a nested ID parameter" do
|
||||||
|
get "/t/#{topic.id}/summary?id[foo]=a"
|
||||||
|
|
||||||
|
expect(response.status).to eq(400)
|
||||||
|
end
|
||||||
|
|
||||||
it "keeps the post_number parameter around when redirecting" do
|
it "keeps the post_number parameter around when redirecting" do
|
||||||
get "/t/#{topic.slug}", params: { post_number: 42 }
|
get "/t/#{topic.slug}", params: { post_number: 42 }
|
||||||
expect(response).to redirect_to(topic.relative_url + "/42")
|
expect(response).to redirect_to(topic.relative_url + "/42")
|
||||||
|
|
Loading…
Reference in New Issue
Block a user