github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-25 05:02:24 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
e92163367d
discourse/spec/services
History
Andrei Prigorshnev 5a2ad7e386
DEV: remove calls to guardian from GroupActionLogger (#13835) 
We shouldn't be checking if a user is allowed to do an action in the logger. We should be checking it just before we perform the action. In fact, guardians in the logger can make things even worse in case of a security bug. Let's say we forgot to check user's permissions before performing some action, but we still have a call to the guardian in the logger. In this case, a user would perform the action anyway, and this action wouldn't even be logged!

I've checked all cases and I confirm that we're safe to delete this calls from the logger.

I've added two calls to guardians in admin/user_controller. We didn't have security bugs there, because regular users can't access admin/... routes at all. But it's good to have calls to guardian in these methods anyway, neighboring methods have them.
2021-07-28 15:04:04 +04:00
..
anonymous_shadow_creator_spec.rb FIX: use allowlist and blocklist terminology (#10209) 2020-07-27 10:23:54 +10:00
auto_silence_spec.rb Migrate score settings to use sensitivities 2019-05-24 15:44:24 -04:00
badge_granter_spec.rb FIX: Don't grant sharing badges to users who don't exist (#13851) 2021-07-27 16:32:59 +10:00
color_scheme_revisor_spec.rb FEATURE: User selectable color schemes (#10544) 2020-08-28 10:36:52 -04:00
destroy_task_spec.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
email_settings_exception_handler_spec.rb FEATURE: Improve group email settings UI (#13083) 2021-05-28 09:28:18 +10:00
email_settings_validator_spec.rb FEATURE: Improve group email settings UI (#13083) 2021-05-28 09:28:18 +10:00
email_style_updater_spec.rb FEATURE: support SCSS in custom email style 2019-10-23 15:42:37 -04:00
external_upload_manager_spec.rb FEATURE: Initial implementation of direct S3 uploads with uppy and stubs (#13787) 2021-07-28 08:42:25 +10:00
flag_sockpuppets_spec.rb FIX: use allowlist and blocklist terminology (#10209) 2020-07-27 10:23:54 +10:00
group_action_logger_spec.rb DEV: remove calls to guardian from GroupActionLogger (#13835) 2021-07-28 15:04:04 +04:00
group_mentions_updater_spec.rb Link website when reviewing users 2020-02-19 10:18:05 -05:00
group_message_spec.rb DEV: s/\$redis/Discourse\.redis (#8431) 2019-12-03 10:05:53 +01:00
heat_settings_updater_spec.rb FIX: round the calculated heat values 2019-06-06 15:44:55 -04:00
inline_uploads_multisite_spec.rb DEV: Isolate multisite specs (#13634) 2021-07-07 18:57:42 +02:00
inline_uploads_spec.rb DEV: Isolate multisite specs (#13634) 2021-07-07 18:57:42 +02:00
notification_emailer_spec.rb FEATURE: Send an email notification when a post is approved. (#12665) 2021-04-12 12:08:23 -03:00
post_action_notifier_spec.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
post_alerter_spec.rb FEATURE: Add last visit indication to topic view page. (#13471) 2021-07-05 14:17:31 +08:00
post_owner_changer_spec.rb FIX: Changing the post owner didn't update the reply_to_user_id of replies (#13862) 2021-07-27 20:49:08 +02:00
push_notification_pusher_spec.rb DEV: Spec shouldn't depend on translation 2021-07-21 12:24:54 +08:00
random_topic_selector_spec.rb DEV: s/\$redis/Discourse\.redis (#8431) 2019-12-03 10:05:53 +01:00
search_indexer_spec.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
site_settings_spec.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
staff_action_logger_spec.rb FEATURE: add staff action logs for watched words (#13574) 2021-06-30 11:22:46 +05:30
themes_spec.rb FIX: Include extra SCSS in child theme (#11952) 2021-02-03 11:02:53 -05:00
topic_status_updater_spec.rb FIX: Auto close topic from category settings based on topic created_at (#12082) 2021-02-17 07:51:39 +10:00
topic_timestamp_changer_spec.rb FIX: when updating timestamps on topic set a correct bump date (#13746) 2021-07-16 11:56:51 +04:00
trust_level_granter_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
user_activator_spec.rb Update rubocop to 2.3.1. 2020-07-24 17:19:21 +08:00
user_anonymizer_spec.rb FIX: Destroy invites of anonymized emails (#13404) 2021-06-17 10:45:40 +03:00
user_authenticator_spec.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
user_destroyer_spec.rb FIX: remove invite based associated object (#12927) 2021-05-03 12:49:53 -04:00
user_merger_spec.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
user_notification_schedule_processor_spec.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
user_silencer_spec.rb FIX: Skip sending PM email for user silence (#12240) 2021-03-02 09:18:09 +10:00
user_updater_spec.rb FIX: User can change name when auth_overrides_name is enabled. 2021-07-28 14:40:57 +08:00
username_changer_spec.rb FIX: Make Oneboxer#apply insert block Oneboxes correctly (#11449) 2020-12-14 17:49:37 +02:00
username_checker_service_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
wildcard_domain_checker_spec.rb SECURITY: vulnerability in WildcardUrlChecker 2019-12-13 09:29:09 -05:00
wildcard_url_checker_spec.rb FIX: Allow any protocol in wildcard url checker (#8651) 2020-01-02 16:03:13 +00:00
word_watcher_spec.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00