mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 23:16:20 +08:00
b609f6c11c
It was possible to see notifications of other users using routes: - notifications/responses - notifications/likes-received - notifications/mentions - notifications/edits We weren't showing anything private (like notifications about private messages), only things that're publicly available in other places. But anyway, it feels strange that it's possible to look at notifications of someone else. Additionally, there is a risk that we can unintentionally leak something on these pages in the future. This commit restricts these routes.
55 lines
1.5 KiB
Ruby
55 lines
1.5 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class UserActionsController < ApplicationController
|
|
def index
|
|
params.require(:username)
|
|
params.permit(:filter, :offset, :acting_username, :limit)
|
|
|
|
user = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
|
|
offset = [0, params[:offset].to_i].max
|
|
action_types = (params[:filter] || "").split(",").map(&:to_i)
|
|
limit = params.fetch(:limit, 30).to_i
|
|
|
|
raise Discourse::NotFound unless guardian.can_see_profile?(user)
|
|
raise Discourse::NotFound unless guardian.can_see_user_actions?(user, action_types)
|
|
|
|
opts = {
|
|
user_id: user.id,
|
|
user: user,
|
|
offset: offset,
|
|
limit: limit,
|
|
action_types: action_types,
|
|
guardian: guardian,
|
|
ignore_private_messages: params[:filter] ? false : true,
|
|
acting_username: params[:acting_username]
|
|
}
|
|
|
|
stream = UserAction.stream(opts).to_a
|
|
if stream.empty? && (help_key = params['no_results_help_key'])
|
|
if user.id == guardian.user.try(:id)
|
|
help_key += ".self"
|
|
else
|
|
help_key += ".others"
|
|
end
|
|
render json: {
|
|
user_action: [],
|
|
no_results_help: I18n.t(help_key)
|
|
}
|
|
else
|
|
render_serialized(stream, UserActionSerializer, root: 'user_actions')
|
|
end
|
|
|
|
end
|
|
|
|
def show
|
|
params.require(:id)
|
|
render_serialized(UserAction.stream_item(params[:id], guardian), UserActionSerializer)
|
|
end
|
|
|
|
def private_messages
|
|
# DO NOT REMOVE
|
|
# TODO should preload messages to avoid extra http req
|
|
end
|
|
|
|
end
|