github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-03 13:15:48 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
65820e8ac1
discourse/spec
History
Alan Guo Xiang Tan 65820e8ac1
SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770) 
Before this commit, we did not have guardian checks in place to determine if a
topic's title associated with a user badge should be displayed or not.
This means that the topic title of topics with restricted access
could be leaked to anon and users without access if certain conditions
are met. While we will not specify the conditions required, we have internally
assessed that the odds of meeting such conditions are low.

With this commit, we will now apply a guardian check to ensure that the
current user is able to see a topic before the topic's title is included
in the serialized object of a `UserBadge`.
2022-10-27 11:48:00 +08:00
..
components DEV: Introduce TopicGuardian#can_see_topic_ids method (#18692) (#18765) 2022-10-27 07:46:28 +08:00
fabricators SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770) 2022-10-27 11:48:00 +08:00
fixtures FIX: Select best link from Atom feed (#15663) 2022-01-21 17:54:18 +02:00
helpers PERF: Redis snapshotting during tests (#15260) 2021-12-10 14:25:26 -06:00
import_export
initializers FEATURE: A low priority filter for the review queue. (#12822) 2021-04-23 15:34:24 -03:00
integration FIX: Make thumbnail tests start with a clean slate (#15216) 2021-12-07 13:07:45 -06:00
integrity DEV: Fix a flaky Onceoff spec (#13314) 2021-06-07 20:38:31 +02:00
jobs SECURITY: Hide private categories in user activity export (#16276) 2022-03-24 15:56:50 +10:00
lib SECURITY: Prevent arbitrary file write when decompressing files (stable) (#18423) 2022-09-29 20:07:58 +02:00
mailers DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
models SECURITY: Limit email invitations to topic 2022-08-10 11:47:14 +02:00
multisite FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) 2021-11-17 23:27:30 +03:00
requests SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770) 2022-10-27 11:48:00 +08:00
script/import_scripts DEV: If disabled do not change setting after import (#12142) 2021-02-19 09:33:35 -07:00
serializers SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770) 2022-10-27 11:48:00 +08:00
services FIX: Prevent "integer out of range" when merging post timings (#15723) 2022-01-26 23:34:28 +01:00
support DEV: Introduce TopicGuardian#can_see_topic_ids method (#18692) (#18765) 2022-10-27 07:46:28 +08:00
tasks DEV: Clean up old bookmark code (#15455) 2022-01-05 10:02:02 +10:00
views/omniauth_callbacks
rails_helper.rb DEV: Avoid $ globals (#15453) 2022-01-08 23:39:46 +01:00
regenerate_swagger_docs DEV: Add API docs for uploads and API doc watcher (#15387) 2021-12-23 08:40:15 +10:00
swagger_helper.rb DEV: Add API docs for uploads and API doc watcher (#15387) 2021-12-23 08:40:15 +10:00