mirror of
https://github.com/discourse/discourse.git
synced 2024-12-13 04:13:42 +08:00
65820e8ac1
Before this commit, we did not have guardian checks in place to determine if a topic's title associated with a user badge should be displayed or not. This means that the topic title of topics with restricted access could be leaked to anon and users without access if certain conditions are met. While we will not specify the conditions required, we have internally assessed that the odds of meeting such conditions are low. With this commit, we will now apply a guardian check to ensure that the current user is able to see a topic before the topic's title is included in the serialized object of a `UserBadge`.
40 lines
816 B
Ruby
40 lines
816 B
Ruby
# frozen_string_literal: true
|
|
|
|
class DetailedUserBadgeSerializer < BasicUserBadgeSerializer
|
|
include UserBadgePostAndTopicAttributesMixin
|
|
|
|
has_one :granted_by, serializer: UserBadgeSerializer::UserSerializer
|
|
|
|
attributes :post_number, :topic_id, :topic_title, :is_favorite, :can_favorite
|
|
|
|
def post_number
|
|
object.post.post_number
|
|
end
|
|
|
|
def include_post_number?
|
|
include_post_attributes?
|
|
end
|
|
|
|
def topic_id
|
|
object.post.topic_id
|
|
end
|
|
|
|
def include_topic_id?
|
|
include_topic_attributes?
|
|
end
|
|
|
|
def topic_title
|
|
object.post.topic.title
|
|
end
|
|
|
|
def include_topic_title?
|
|
include_topic_id?
|
|
end
|
|
|
|
def can_favorite
|
|
SiteSetting.max_favorite_badges > 0 &&
|
|
(scope.current_user.present? && object.user_id == scope.current_user.id) &&
|
|
!(1..4).include?(object.badge_id)
|
|
end
|
|
end
|