github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-31 16:07:17 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Category group permissions leaked to normal users.

Browse Source 
After this commit, category group permissions can only be seen by users
that are allowed to manage a category. In the past, we inadvertently
included a category's group permissions settings in `CategoriesController#show`
and `CategoriesController#find_by_slug` endpoints for normal users when
those settings are only a concern to users that can manage a category.
This commit is contained in:
Alan Guo Xiang Tan
2022-04-08 11:14:06 +08:00
parent 07d8189edd
commit 0f7b9878ff
9 changed files with 130 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
app/controllers/categories_controller.rb
View File

@ -2,9 +2,9 @@
class CategoriesController < ApplicationController
requires_login except: [:index, :categories_and_latest, :categories_and_top, :show, :redirect, :find_by_slug]
requires_login except: [:index, :categories_and_latest, :categories_and_top, :show, :redirect, :find_by_slug, :visible_groups]
before_action :fetch_category, only: [:show, :update, :destroy]
before_action :fetch_category, only: [:show, :update, :destroy, :visible_groups]
before_action :initialize_staff_action_logger, only: [:create, :update, :destroy]
skip_before_action :check_xhr, only: [:index, :categories_and_latest, :categories_and_top, :redirect]
@ -120,6 +120,7 @@ class CategoriesController < ApplicationController
if Category.topic_create_allowed(guardian).where(id: @category.id).exists?
@category.permission = CategoryGroup.permission_types[:full]
end
render_serialized(@category, CategorySerializer)
end
@ -252,6 +253,11 @@ class CategoriesController < ApplicationController
render_serialized(@category, CategorySerializer)
end
def visible_groups
@guardian.ensure_can_see!(@category)
render json: success_json.merge(groups: @category.groups.merge(Group.visible_groups(current_user)).pluck("name"))
end
private
def self.topics_per_page
@ -371,6 +377,7 @@ class CategoriesController < ApplicationController
def fetch_category
@category = Category.find_by_slug(params[:id]) || Category.find_by(id: params[:id].to_i)
raise Discourse::NotFound if @category.blank?
end
def initialize_staff_action_logger