github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-28 16:23:45 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
d1ef6ab99f
discourse/spec/requests
History
Alan Guo Xiang Tan 4cb7472376
SECURITY: Prevent arbitrary topic custom fields from being set 
Why this change?

The `PostsController#create` action allows arbitrary topic custom fields
to be set by any user that can create a topic. Without any restrictions,
this opens us up to potential security issues where plugins may be using
topic custom fields in security sensitive areas.

What does this change do?

1. This change introduces the `register_editable_topic_custom_field` plugin
API which allows plugins to register topic custom fields that are
editable either by staff users only or all users. The registered
editable topic custom fields are stored in `DiscoursePluginRegistry` and
is called by a new method `Topic#editable_custom_fields` which is then
used in the `PostsController#create` controller action. When an unpermitted custom fields is present in the `meta_data` params,
a 400 response code is returned.

2. Removes all reference to `meta_data` on a topic as it is confusing
   since we actually mean topic custom fields instead.
2023-10-16 10:34:35 -04:00
..
admin FEATURE: granular webhooks (#23070) 2023-10-09 03:35:31 +00:00
api FEATURE: Remove support for legacy navigation menu (#23752) 2023-10-09 07:24:10 +08:00
examples SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
about_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
application_controller_spec.rb DEV: Add hidden cross_origin_opener_policy_header site setting (#23346) 2023-08-31 08:50:06 -04:00
associate_accounts_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
badges_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
bookmarks_controller_spec.rb DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
bootstrap_controller_spec.rb DEV: Eliminate flakiness in specs that depend on plugins from fixtures (#21912) 2023-06-05 08:06:00 +08:00
categories_controller_spec.rb DEV: Switch over category settings to new table - Part 3 (#20657) 2023-09-12 09:51:49 +08:00
clicks_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
composer_controller_spec.rb UX: hide warning if all users mentioned via group are already invited. (#23557) 2023-09-13 19:21:44 +05:30
composer_messages_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
csp_reports_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
directory_columns_controller_spec.rb DEV: Refactored and moved Edit Directory Column tests out of directory_columns_controller_spec (#22022) 2023-06-08 18:00:01 -05:00
directory_items_controller_spec.rb FIX: Validate page/limit params for directory, user-badges and groups (#22877) 2023-07-31 15:00:05 +01:00
do_not_disturb_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
drafts_controller_spec.rb SECURITY: Limit number of drafts per user and length of draft_key 2023-09-12 15:31:26 -03:00
edit_directory_columns_controller_spec.rb DEV: Refactored and moved Edit Directory Column tests out of directory_columns_controller_spec (#22022) 2023-06-08 18:00:01 -05:00
email_controller_spec.rb FIX: Unsubscribing via key associated with deleted topic (#20275) 2023-02-16 10:47:01 +00:00
embed_controller_spec.rb FEATURE: Serve RTL versions of admin and plugins CSS bundles for RTL locales (#21876) 2023-06-01 05:27:11 +03:00
exceptions_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
export_csv_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
extra_locales_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
finish_installation_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
form_templates_controller_spec.rb DEV: Remove setting explicit id on Fabricated property (#21831) 2023-05-30 09:34:01 -07:00
forums_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
groups_controller_spec.rb FIX: Validate page/limit params for directory, user-badges and groups (#22877) 2023-07-31 15:00:05 +01:00
hashtags_controller_spec.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
inline_onebox_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
invites_controller_spec.rb SECURITY: Handle concurrent invite accepts 2023-07-28 12:53:48 +01:00
list_controller_spec.rb DEV: Validate before and bumped_before options in TopicQuery (#23451) 2023-09-07 14:38:03 +10:00
metadata_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
notifications_controller_spec.rb FEATURE: Remove support for legacy navigation menu (#23752) 2023-10-09 07:24:10 +08:00
offline_controller_spec.rb Add RSpec 4 compatibility (#17652) 2022-07-28 10:27:38 +08:00
omniauth_callbacks_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
onebox_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
permalinks_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_action_users_controller_spec.rb SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
post_actions_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_readers_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
posts_controller_spec.rb SECURITY: Prevent arbitrary topic custom fields from being set 2023-10-16 10:34:35 -04:00
presence_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
published_pages_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
push_notification_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
qunit_controller_spec.rb DEV: Stop building test assets in production under Embroider (#23388) 2023-09-11 09:12:37 +01:00
reviewable_claimed_topics_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
reviewables_controller_spec.rb FIX: Pending post deletion by creator (#23130) 2023-08-18 15:30:59 +00:00
robots_txt_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
safe_mode_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
search_controller_spec.rb FIX: Search by tag context was broken (#23006) 2023-08-08 15:15:34 -04:00
session_controller_spec.rb DEV: Add routes and controller actions for passkeys (2/3) (#23587) 2023-10-11 14:36:54 -04:00
sidebar_sections_controller_spec.rb SECURITY: limit amount of links in custom sidebar section (#22543) 2023-07-11 15:25:01 -06:00
similar_topics_controller_spec.rb DEV: Disable SearchIndexer after fabrication (#21378) 2023-05-04 09:20:52 +08:00
site_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
sitemap_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
slugs_controller_spec.rb DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
static_controller_spec.rb DEV: Avoid leaking new site setting states in test environment (#21713) 2023-05-25 07:53:57 +08:00
steps_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
stylesheets_controller_spec.rb DEV: Eliminate flakiness in specs that depend on plugins from fixtures (#21912) 2023-06-05 08:06:00 +08:00
svg_sprite_controller_spec.rb DEV: Avoid multiple fabrications in spec (#21606) 2023-05-17 14:28:31 +08:00
tag_groups_controller_spec.rb SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
tags_controller_spec.rb SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
theme_javascripts_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
topics_controller_spec.rb DEV: Switch over category settings to new table - Part 3 (#20657) 2023-09-12 09:51:49 +08:00
uploads_controller_multisite_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
uploads_controller_spec.rb DEV: Add S3 upload system specs using minio (#22975) 2023-08-23 11:18:33 +10:00
user_actions_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
user_api_keys_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
user_avatars_controller_spec.rb FEATURE: reduce avatar sizes to 6 from 20 (#21319) 2023-06-01 10:00:01 +10:00
user_badges_controller_spec.rb FIX: Validate page/limit params for directory, user-badges and groups (#22877) 2023-07-31 15:00:05 +01:00
user_status_controller_spec.rb DEV: Format UserStatus#ends_at as a ISO8601 timestamp (#23796) 2023-10-05 20:41:12 +02:00
users_controller_spec.rb SECURITY: Hide user profiles from public 2023-10-16 10:34:32 -04:00
users_email_controller_spec.rb DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
webhooks_controller_spec.rb FEATURE: Add Mailpace webhook (#21981) 2023-06-08 20:06:20 +03:00
wizard_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00