discourse/app/serializers
Alan Guo Xiang Tan 65820e8ac1
SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770)
Before this commit, we did not have guardian checks in place to determine if a
topic's title associated with a user badge should be displayed or not.
This means that the topic title of topics with restricted access
could be leaked to anon and users without access if certain conditions
are met. While we will not specify the conditions required, we have internally
assessed that the odds of meeting such conditions are low.

With this commit, we will now apply a guardian check to ensure that the
current user is able to see a topic before the topic's title is included
in the serialized object of a `UserBadge`.
2022-10-27 11:48:00 +08:00
..
concerns SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770) 2022-10-27 11:48:00 +08:00
about_serializer.rb FIX: do not include contact url & email in client site settings payload (#13004) 2021-05-19 16:15:24 +10:00
admin_badge_serializer.rb FEATURE: Link to text customization when editing system badges (#11345) 2020-12-08 11:55:49 -08:00
admin_badges_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
admin_detailed_user_serializer.rb FEATURE: Add post edits count to user activity (#13495) 2021-08-02 10:15:53 -04:00
admin_email_template_serializer.rb Different fix (#7815) 2019-07-02 11:53:16 +10:00
admin_plugin_serializer.rb UX: show plugin descriptions on admin plugins page 2021-02-12 11:38:50 -05:00
admin_user_action_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
admin_user_list_serializer.rb FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) 2021-02-08 10:04:33 +00:00
admin_user_serializer.rb DEV: Upgrading Discourse to Zeitwerk (#8098) 2019-10-02 14:01:53 +10:00
admin_web_hook_event_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
admin_web_hook_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
api_key_scope_serializer.rb UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 15:12:04 -03:00
api_key_serializer.rb FEATURE: Add scopes to API keys (#9844) 2020-07-16 15:51:24 -03:00
application_serializer.rb FIX: Clear post action types application serializer fragment cache. 2021-06-04 09:14:49 +08:00
archetype_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
associated_group_serializer.rb FEATURE: Experimental support for group membership via google auth (#14835) 2021-12-09 12:30:27 +00:00
auth_provider_serializer.rb DEV: Deprecate message parameter in auth provider plugin API (#12523) 2021-03-25 13:23:48 +00:00
backup_file_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
badge_grouping_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
badge_index_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
badge_serializer.rb UX: Add image uploader widget for uploading badge images (#12377) 2021-03-17 08:55:23 +03:00
badge_type_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
basic_category_serializer.rb FEATURE: category setting for default list filter. (#9975) 2020-06-04 00:56:56 +05:30
basic_group_history_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
basic_group_serializer.rb FIX: N+1 for admins viewing groups page 2020-09-16 14:58:52 -04:00
basic_group_user_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
basic_post_serializer.rb DEV: Move requested_group_id custom field from post to topic (#9127) 2020-03-24 11:12:52 +02:00
basic_topic_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
basic_user_badge_serializer.rb FIX: 500 error for missing badge grouping (#8446) 2019-12-03 18:37:01 +11:00
basic_user_serializer.rb FIX: Wrong scope used for notification levels user serializer (#13039) 2021-05-14 09:45:14 +10:00
category_and_topic_lists_serializer.rb FEATURE: Allow setting avatar flair for automatic groups (#12586) 2021-04-06 11:13:06 -04:00
category_detailed_serializer.rb FEATURE: Return subcategories on categories endpoint (#14492) 2021-10-05 12:12:31 -06:00
category_group_serializer.rb FEATURE: Group category permissions tab (#10388) 2020-08-10 09:49:05 -05:00
category_list_serializer.rb DEV: Remove draft attributes from topic lists (#12525) 2021-03-30 11:42:26 -04:00
category_serializer.rb SECURITY: Category group permissions leaked to normal users. 2022-04-08 11:04:59 +02:00
category_upload_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
color_scheme_color_serializer.rb FEATURE: Allow themes to override color transformation variables (#7987) 2019-08-12 11:02:38 +01:00
color_scheme_selectable_serializer.rb FEATURE: User selectable color schemes (#10544) 2020-08-28 10:36:52 -04:00
color_scheme_serializer.rb FEATURE: User selectable color schemes (#10544) 2020-08-28 10:36:52 -04:00
current_user_serializer.rb FEATURE: Display pending posts on user’s page 2021-11-29 10:26:33 +01:00
detailed_tag_serializer.rb FIX: tag info misleading message saying it's not restricted 2020-02-05 15:23:39 -05:00
detailed_user_badge_serializer.rb SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770) 2022-10-27 11:48:00 +08:00
directory_column_serializer.rb DEV: Plugin API to add directory columns (#13440) 2021-06-22 13:00:04 -05:00
directory_item_serializer.rb FIX: Always serialize the correct attributes for DirectoryItems (#13510) 2021-06-23 14:55:17 -05:00
discourse_version_check_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
draft_serializer.rb SECURITY: Respect topic permissions when loading draft metadata 2020-03-23 11:30:40 +00:00
edit_directory_column_serializer.rb DEV: Plugin API to add directory columns (#13440) 2021-06-22 13:00:04 -05:00
email_log_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
email_style_serializer.rb FEATURE: customization of html emails (#7934) 2019-07-30 15:05:08 -04:00
embeddable_host_serializer.rb FIX: use allowlist and blocklist terminology (#10209) 2020-07-27 10:23:54 +10:00
embedding_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
emoji_serializer.rb FIX: Don't raise an error if a custom emoji image was deleted 2020-12-09 15:40:40 -05:00
flagged_topic_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
flagged_topic_summary_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
flagged_user_serializer.rb FIX: use allowlist and blocklist terminology (#10209) 2020-07-27 10:23:54 +10:00
flair_group_serializer.rb FEATURE: Let users select flair (#13587) 2021-07-08 10:46:21 +03:00
gap_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
group_post_serializer.rb FIX: Posts with Staff Colors were excluded from the group activity 2020-12-11 11:52:03 -05:00
group_post_user_serializer.rb Add primary group classes (#12807) 2021-04-22 15:00:23 -07:00
group_requester_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
group_show_serializer.rb FEATURE: Experimental support for group membership via google auth (#14835) 2021-12-09 12:30:27 +00:00
group_user_serializer.rb FIX: include_ serializer methods must end with ? (#14407) 2021-09-22 16:01:25 +03:00
grouped_screened_url_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
grouped_search_result_serializer.rb FEATURE: when under extreme load disable search 2019-07-02 11:22:01 +10:00
hidden_profile_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
incoming_email_details_serializer.rb DEV: stop freezing frozen strings 2020-04-30 16:48:53 +10:00
incoming_email_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
invite_link_serializer.rb FEATURE: multiple use invite links (#9813) 2020-06-09 20:49:32 +05:30
invite_serializer.rb FEATURE: Restrict link invites to email domain (#15211) 2021-12-08 17:06:57 +02:00
invited_serializer.rb FEATURE: Various improvements to invite system (#12298) 2021-03-06 13:29:35 +02:00
invited_user_record_serializer.rb FIX: include_ serializer methods must end with ? (#14407) 2021-09-22 16:01:25 +03:00
invited_user_serializer.rb FEATURE: multiple use invite links (#9813) 2020-06-09 20:49:32 +05:30
listable_topic_serializer.rb FEATURE: Add last visit indication to topic view page. (#13471) 2021-07-05 14:17:31 +08:00
new_post_result_serializer.rb FIX: Update post's raw from server response (#13438) 2021-06-18 16:26:57 +03:00
notification_serializer.rb FIX: Maintain notification order by priority (#13186) 2021-05-31 09:27:13 +03:00
penalty_counts_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
pending_post_serializer.rb FEATURE: Display pending posts on user’s page 2021-11-29 10:26:33 +01:00
permalink_serializer.rb FEATURE: Permalinks for tags 2020-05-25 14:51:01 +02:00
post_action_type_serializer.rb Fix i18n issues reported on Crowdin (#10925) 2020-10-16 15:24:58 +02:00
post_action_user_serializer.rb FEATURE: Don't display muted/ignored users under "who liked" (#10084) 2020-06-19 10:44:21 -04:00
post_item_excerpt.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
post_revision_serializer.rb FIX: limit visible revisions history to last 100 (#12946) 2021-05-05 12:18:25 +02:00
post_serializer.rb UX: change text of public_topic action code in login required sites. (#14764) 2022-01-11 11:35:16 +05:30
post_stream_serializer_mixin.rb DEV: Remove TopicView#first_post_id. (#14631) 2021-10-18 14:47:47 +08:00
post_wordpress_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
poster_serializer.rb FEATURE: Allow setting avatar flair for automatic groups (#12586) 2021-04-06 11:13:06 -04:00
presence_channel_state_serializer.rb DEV: Introduce PresenceChannel API for core and plugin use 2021-08-27 16:26:06 +01:00
primary_group_serializer.rb FEATURE: Let users select flair (#13587) 2021-07-08 10:46:21 +03:00
private_message_topic_tracking_state_serializer.rb FEATURE: Display unread and new counts for messages. (#14059) 2021-08-25 11:17:56 +08:00
published_page_serializer.rb FEATURE: allows published pages to be public (#10053) 2020-06-17 12:42:20 +02:00
queued_post_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
reviewable_action_serializer.rb DEV: APIs for plugin to add custom reviewable confirm modal (#12246) 2021-03-02 10:28:27 -06:00
reviewable_bundled_action_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
reviewable_conversation_post_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
reviewable_conversation_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
reviewable_editable_field_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
reviewable_explanation_serializer.rb DEV: Upgrading Discourse to Zeitwerk (#8098) 2019-10-02 14:01:53 +10:00
reviewable_flagged_post_serializer.rb FEATURE: Show "in reply to" on the review queue 2019-06-05 12:34:41 -04:00
reviewable_history_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
reviewable_perform_result_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
reviewable_post_serializer.rb FEATURE: Review every post using the review queue. (#12734) 2021-04-21 08:41:36 -03:00
reviewable_queued_post_serializer.rb FEATURE: Allow viewing of raw emails for reviewable queued posts (#7910) 2019-07-19 11:56:14 -04:00
reviewable_score_explanation_serializer.rb FIX: Store user_accuracy_bonus to clarify explanations (#8165) 2019-10-08 09:49:07 -04:00
reviewable_score_serializer.rb FIX: update translation key to match flag reason. (#14573) 2021-10-11 10:24:41 -03:00
reviewable_score_type_serializer.rb REFACTOR: Replace score bonuses with low/med/high priorities 2019-05-23 11:54:45 -04:00
reviewable_serializer.rb UI: Blur review queue images. (#11187) 2020-11-11 14:09:42 -03:00
reviewable_settings_serializer.rb REFACTOR: Replace score bonuses with low/med/high priorities 2019-05-23 11:54:45 -04:00
reviewable_topic_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
reviewable_user_serializer.rb FEATURE: reason to reject user signup (#11700) 2021-01-15 09:43:26 +11:00
screened_email_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
screened_ip_address_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
screened_url_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
search_logs_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
search_post_serializer.rb DEV: Add plugin API to extend search results (#12966) 2021-06-15 15:32:41 +10:00
search_result_user_serializer.rb FEATURE: the ability to search users by custom fields (#12762) 2021-04-27 15:52:45 +10:00
search_topic_list_item_serializer.rb Revert "PERF: Reduce size of search payload by removing unused topic attributes." 2020-07-23 09:25:31 +08:00
similar_topic_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
single_sign_on_record_serializer.rb FIX: hide sso payload behind a button click and log views (#12110) 2021-02-17 21:27:51 +05:30
site_category_serializer.rb FIX: Missing category edit icon. 2021-06-28 10:54:23 +08:00
site_serializer.rb FEATURE: Experimental support for group membership via google auth (#14835) 2021-12-09 12:30:27 +00:00
site_text_serializer.rb FIX: I18n couldn't find translations. (#11774) 2021-01-20 17:43:00 -03:00
skipped_email_log_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
suggested_topic_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
suggested_topics_mixin.rb FEATURE: Display new/unread count in browse more messages for PMs. (#14188) 2021-09-07 12:30:40 +08:00
tag_group_serializer.rb FEATURE: Tag synonyms 2019-12-04 13:33:51 -05:00
tag_serializer.rb FEATURE: ability to add description to tags (#15125) 2021-12-01 09:18:56 +11:00
theme_serializer.rb FIX: add theme field errors (#12880) 2021-04-28 15:00:37 -07:00
theme_settings_serializer.rb DEV: support json_schema in theme settings (#12294) 2021-03-10 20:15:04 -05:00
theme_translation_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
topic_embed_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
topic_flag_type_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
topic_link_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
topic_list_item_serializer.rb PERF: Fix N+1 queries on private messages route. 2020-09-11 15:20:27 +08:00
topic_list_serializer.rb DEV: Remove draft attributes from topic lists (#12525) 2021-03-30 11:42:26 -04:00
topic_pending_post_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
topic_post_count_serializer.rb FEATURE: Let users select flair (#13587) 2021-07-08 10:46:21 +03:00
topic_poster_serializer.rb FEATURE: Let users select flair (#13587) 2021-07-08 10:46:21 +03:00
topic_timer_serializer.rb FEATURE: Allow durations < 1 hour and < 1 day for topic timers where duration is specified (auto delete replies, close based on last post) (#11961) 2021-02-05 10:12:56 +10:00
topic_tracking_state_serializer.rb DEV: Topic tracking state improvements (#13218) 2021-06-02 09:06:29 +10:00
topic_view_details_serializer.rb FEATURE: Allow admins to permanently delete posts and topics (#14406) 2021-10-13 12:53:23 +03:00
topic_view_posts_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
topic_view_serializer.rb FIX: Display pending posts in a moderated category 2021-12-07 10:14:45 +01:00
topic_view_wordpress_serializer.rb FEATURE: Add category_id to TopicViewWordpressSerializer (#10372) 2020-08-05 11:50:15 +10:00
trust_level3_requirements_serializer.rb DEV: Upgrading Discourse to Zeitwerk (#8098) 2019-10-02 14:01:53 +10:00
upload_serializer.rb FIX: uploading an image as a site setting 2020-07-03 13:23:10 +02:00
user_action_serializer.rb FIX: rename action_code_href to action_code_path (#14834) 2021-11-08 14:32:17 +11:00
user_auth_token_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
user_badge_serializer.rb SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770) 2022-10-27 11:48:00 +08:00
user_badges_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
user_bookmark_list_serializer.rb FEATURE: Add search to user bookmark list (#10230) 2020-07-14 14:43:41 +10:00
user_bookmark_serializer.rb FIX: Use unread post excerpt for topic-level bookmark excerpt (#14414) 2021-09-22 12:47:36 +10:00
user_card_serializer.rb FEATURE: Display pending posts on user’s page 2021-11-29 10:26:33 +01:00
user_field_serializer.rb FEATURE: the ability to search users by custom fields (#12762) 2021-04-27 15:52:45 +10:00
user_history_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
user_name_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
user_option_serializer.rb FEATURE: show recent searches in quick search panel (#15024) 2021-11-25 15:44:15 -05:00
user_serializer.rb FIX: don't allow category and tag tracking settings on staged users (#13688) 2021-07-16 14:50:40 -04:00
user_summary_serializer.rb FEATURE: Let users select flair (#13587) 2021-07-08 10:46:21 +03:00
user_with_custom_fields_serializer.rb FIX: use allowlist and blocklist terminology (#10209) 2020-07-27 10:23:54 +10:00
user_wordpress_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
watched_word_list_serializer.rb DEV: Simplify watched word code (#13103) 2021-05-27 19:20:26 +03:00
watched_word_serializer.rb FIX: Add word boundaries to replace and tag watched words (#13405) 2021-06-18 18:54:06 +03:00
web_hook_category_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
web_hook_flag_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
web_hook_group_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
web_hook_group_user_serializer.rb FEATURE: trigger webhook when a user added/removed in a group. (#12653) 2021-04-08 21:16:34 +05:30
web_hook_like_serializer.rb FEATURE: add support for like webhooks (#12917) 2021-04-30 17:08:38 -07:00
web_hook_post_serializer.rb FEATURE: Let users select flair (#13587) 2021-07-08 10:46:21 +03:00
web_hook_topic_view_serializer.rb FEATURE: Topic-level bookmarks (#14353) 2021-09-21 08:45:47 +10:00
web_hook_user_serializer.rb FEATURE: Display pending posts on user’s page 2021-11-29 10:26:33 +01:00
wizard_field_choice_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
wizard_field_serializer.rb UX: Add Styling step to wizard (#14132) 2021-08-25 17:10:12 -04:00
wizard_serializer.rb UX: Add Styling step to wizard (#14132) 2021-08-25 17:10:12 -04:00
wizard_step_serializer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00