discourse/app/services
Martin Brennan 3c5fb871c0 SECURITY: Filter unread bookmark reminders the user cannot see
There is an edge case where the following occurs:

1. The user sets a bookmark reminder on a post/topic
2. The post/topic is changed to a PM before or after the reminder
   fires, and the notification remains unread by the user
3. The user opens their bookmark reminder notification list
   and they can still see the notification even though they cannot
   access the topic anymore

There is a very low chance for information leaking here, since
the only thing that could be exposed is the topic title if it
changes to something sensitive.

This commit filters the bookmark unread notifications by using
the bookmarkable can_see? methods and also prevents sending
reminder notifications for bookmarks the user can no longer see.
2023-11-09 13:39:16 +11:00
..
notifications DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
spam_rule DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
anonymous_shadow_creator.rb DEV: Change anonymous_posting_min_trust_level to a group-based setting (#24072) 2023-10-25 11:45:10 +10:00
badge_granter.rb DEV: Remove badge_granted_title column from user_profiles (#20476) 2023-03-08 13:37:20 +01:00
base_bookmarkable.rb DEV: Change Bookmarkable registration to DiscoursePluginRegistry (#20556) 2023-03-08 10:39:12 +10:00
category_hashtag_data_source.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
color_scheme_revisor.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
destroy_task.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
email_settings_exception_handler.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
email_settings_validator.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
email_style_updater.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
external_upload_manager.rb DEV: Add S3 upload system specs using minio (#22975) 2023-08-23 11:18:33 +10:00
group_action_logger.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
group_mentions_updater.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
group_message.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
handle_chunk_upload.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
hashtag_autocomplete_service.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
heat_settings_updater.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
inline_uploads.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
notification_emailer.rb DEV: Email notification filter plugin API (#24271) 2023-11-08 10:29:00 -06:00
post_action_notifier.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
post_alerter.rb FIX: Send push notifications for category/tag watching notifications (#24196) 2023-11-01 10:06:33 -05:00
post_bookmarkable.rb SECURITY: Filter unread bookmark reminders the user cannot see 2023-11-09 13:39:16 +11:00
post_owner_changer.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
push_notification_pusher.rb FEATURE: Improve push notification message for watching_category_or_tag notifications (#24228) 2023-11-06 10:13:23 -06:00
random_topic_selector.rb DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
registered_bookmarkable.rb DEV: Change Bookmarkable registration to DiscoursePluginRegistry (#20556) 2023-03-08 10:39:12 +10:00
search_indexer.rb FIX: do not allow title stuffing to dominate search (#21464) 2023-05-10 11:47:58 +10:00
sidebar_section_links_updater.rb FIX: Seed all categories and tags configured as defaults for nav menu (#22793) 2023-07-27 10:52:33 +08:00
sidebar_site_settings_backfiller.rb FIX: Update sidebar to be navigation menu (#22101) 2023-06-15 09:31:28 +10:00
site_settings_task.rb DEV: Add rake command to help detect dead settings (#23300) 2023-08-29 09:42:52 -06:00
staff_action_logger.rb FIX: Keep ReviewableQueuedPosts even with user delete reviewable actions (#22501) 2023-07-18 11:50:31 +00:00
tag_hashtag_data_source.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
theme_settings_migrations_runner.rb FEATURE: Theme settings migrations (#24071) 2023-11-02 08:10:15 +03:00
themes_install_task.rb FEATURE: Theme settings migrations (#24071) 2023-11-02 08:10:15 +03:00
topic_bookmarkable.rb SECURITY: Filter unread bookmark reminders the user cannot see 2023-11-09 13:39:16 +11:00
topic_status_updater.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
topic_summarization.rb FIX: Everyone should be aware a cached summary is outdated. (#23438) 2023-09-06 12:09:21 -03:00
topic_timestamp_changer.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
tracked_topics_updater.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
trust_level_granter.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
user_action_manager.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
user_activator.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
user_anonymizer.rb FIX: Anonymizing a user clears their user status too (#21673) 2023-05-22 13:18:09 +08:00
user_authenticator.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
user_destroyer.rb FIX: Delete fast typer reviewable when deleting user (#23162) 2023-08-21 18:03:03 +08:00
user_merger.rb DEV: Remove badge_granted_title column from user_profiles (#20476) 2023-03-08 13:37:20 +01:00
user_notification_renderer.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
user_notification_schedule_processor.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
user_silencer.rb DEV: Enable unless cops 2023-02-21 10:30:48 +01:00
user_stat_count_updater.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
user_updater.rb FIX: Seed all categories and tags configured as defaults for nav menu (#22793) 2023-07-27 10:52:33 +08:00
username_changer.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
username_checker_service.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
web_hook_emitter.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
wildcard_domain_checker.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
wildcard_url_checker.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
word_watcher.rb FIX: Replace watched words with wildcards (#24279) 2023-11-08 18:51:11 +02:00