discourse/spec/requests/admin/staff_action_logs_controller_spec.rb
Alan Guo Xiang Tan 439cc5b023
SECURITY: Impose a upper bound on limit params in various controllers
What is the problem here?

In multiple controllers, we are accepting a `limit` params but do not
impose any upper bound on the values being accepted. Without an upper
bound, we may be allowing arbituary users from generating DB queries
which may end up exhausing the resources on the server.

What is the fix here?

A new `fetch_limit_from_params` helper method is introduced in
`ApplicationController` that can be used by controller actions to safely
get the limit from the params as a default limit and maximum limit has
to be set. When an invalid limit params is encountered, the server will
respond with the 400 response code.
2023-07-28 12:56:35 +01:00

165 lines
5.2 KiB
Ruby

# frozen_string_literal: true
RSpec.describe Admin::StaffActionLogsController do
fab!(:admin) { Fabricate(:admin) }
fab!(:moderator) { Fabricate(:moderator) }
fab!(:user) { Fabricate(:user) }
describe "#index" do
shared_examples "staff action logs accessible" do
it "returns logs" do
topic = Fabricate(:topic)
StaffActionLogger.new(Discourse.system_user).log_topic_delete_recover(topic, "delete_topic")
get "/admin/logs/staff_action_logs.json",
params: {
action_id: UserHistory.actions[:delete_topic],
}
json = response.parsed_body
expect(response.status).to eq(200)
expect(json["staff_action_logs"].length).to eq(1)
expect(json["staff_action_logs"][0]["action_name"]).to eq("delete_topic")
expect(json["extras"]["user_history_actions"]).to include(
"id" => "delete_topic",
"action_id" => UserHistory.actions[:delete_topic],
)
end
describe "when limit params is invalid" do
include_examples "invalid limit params",
"/admin/logs/staff_action_logs.json",
described_class::INDEX_LIMIT
end
end
context "when logged in as an admin" do
before { sign_in(admin) }
include_examples "staff action logs accessible"
it "generates logs with pages" do
1
.upto(4)
.each do |idx|
StaffActionLogger.new(Discourse.system_user).log_site_setting_change(
"title",
"value #{idx - 1}",
"value #{idx}",
)
end
get "/admin/logs/staff_action_logs.json", params: { limit: 3 }
json = response.parsed_body
expect(response.status).to eq(200)
expect(json["staff_action_logs"].length).to eq(3)
expect(json["staff_action_logs"][0]["new_value"]).to eq("value 4")
get "/admin/logs/staff_action_logs.json", params: { limit: 3, page: 1 }
json = response.parsed_body
expect(response.status).to eq(200)
expect(json["staff_action_logs"].length).to eq(1)
expect(json["staff_action_logs"][0]["new_value"]).to eq("value 1")
end
context "when staff actions are extended" do
let(:plugin_extended_action) { :confirmed_ham }
before { UserHistory.stubs(:staff_actions).returns([plugin_extended_action]) }
after { UserHistory.unstub(:staff_actions) }
it "Uses the custom_staff id" do
get "/admin/logs/staff_action_logs.json", params: {}
json = response.parsed_body
action = json["extras"]["user_history_actions"].first
expect(action["id"]).to eq plugin_extended_action.to_s
expect(action["action_id"]).to eq UserHistory.actions[:custom_staff]
end
end
end
context "when logged in as a moderator" do
before { sign_in(moderator) }
include_examples "staff action logs accessible"
end
context "when logged in as a non-staff user" do
before { sign_in(user) }
it "denies access with a 404 response" do
get "/admin/logs/staff_action_logs.json",
params: {
action_id: UserHistory.actions[:delete_topic],
}
expect(response.status).to eq(404)
expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
end
end
end
describe "#diff" do
shared_examples "theme diffs accessible" do
it "generates diffs for theme changes" do
theme = Fabricate(:theme)
theme.set_field(target: :mobile, name: :scss, value: "body {.up}")
theme.set_field(target: :common, name: :scss, value: "omit-dupe")
original_json = ThemeSerializer.new(theme, root: false).to_json
theme.set_field(target: :mobile, name: :scss, value: "body {.down}")
record = StaffActionLogger.new(Discourse.system_user).log_theme_change(original_json, theme)
get "/admin/logs/staff_action_logs/#{record.id}/diff.json"
expect(response.status).to eq(200)
parsed = response.parsed_body
expect(parsed["side_by_side"]).to include("up")
expect(parsed["side_by_side"]).to include("down")
expect(parsed["side_by_side"]).not_to include("omit-dupe")
end
end
context "when logged in as an admin" do
before { sign_in(admin) }
include_examples "theme diffs accessible"
it "is not erroring when current value is empty" do
theme = Fabricate(:theme)
StaffActionLogger.new(admin).log_theme_destroy(theme)
get "/admin/logs/staff_action_logs/#{UserHistory.last.id}/diff.json"
expect(response.status).to eq(200)
end
end
context "when logged in as a moderator" do
before { sign_in(moderator) }
include_examples "theme diffs accessible"
end
context "when logged in as a non-staff user" do
before { sign_in(user) }
it "denies access with a 404 response" do
theme = Fabricate(:theme)
StaffActionLogger.new(admin).log_theme_destroy(theme)
get "/admin/logs/staff_action_logs/#{UserHistory.last.id}/diff.json"
expect(response.status).to eq(404)
expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
end
end
end
end