github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 20:41:24 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Don't leak topic title in the redirect

Browse Source
This commit is contained in:
riking
2015-02-04 11:49:05 -08:00
parent 3948a960cd
commit 4c8850108a
2 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/posts_controller.rb
View File

@ -70,6 +70,8 @@ class PostsController < ApplicationController
user = User.find(params[:user_id].to_i) user = User.find(params[:user_id].to_i)
request['u'] = user.username_lower if user request['u'] = user.username_lower if user
end end
guardian.ensure_can_see!(post)
redirect_to post.url redirect_to post.url
end end

15
spec/controllers/posts_controller_spec.rb
View File

@ -821,4 +821,19 @@ describe PostsController do
end end
end end
describe "short link" do
let(:topic) { Fabricate(:topic) }
let(:post) { Fabricate(:post, topic: topic) }
it "redirects to the topic" do
xhr :get, :short_link, post_id: post.id
response.should be_redirect
end
it "returns a 403 when access is denied" do
Guardian.any_instance.stubs(:can_see?).returns(false)
xhr :get, :short_link, post_id: post.id
response.should be_forbidden
end
end
end end