mirror of
https://github.com/discourse/discourse.git
synced 2025-05-22 22:43:33 +08:00
DEV: remove calls to guardian from GroupActionLogger (#13835)
We shouldn't be checking if a user is allowed to do an action in the logger. We should be checking it just before we perform the action. In fact, guardians in the logger can make things even worse in case of a security bug. Let's say we forgot to check user's permissions before performing some action, but we still have a call to the guardian in the logger. In this case, a user would perform the action anyway, and this action wouldn't even be logged! I've checked all cases and I confirm that we're safe to delete this calls from the logger. I've added two calls to guardians in admin/user_controller. We didn't have security bugs there, because regular users can't access admin/... routes at all. But it's good to have calls to guardian in these methods anyway, neighboring methods have them.
This commit is contained in:
Andrei Prigorshnev
committed by
GitHub
GitHub
parent
32951ca2f4
commit
5a2ad7e386
@ -211,9 +211,10 @@ class Admin::UsersController < Admin::AdminController
|
|||||||
|
|
||||||
def add_group
|
def add_group
|
||||||
group = Group.find(params[:group_id].to_i)
|
group = Group.find(params[:group_id].to_i)
|
||||||
|
|
||||||
raise Discourse::NotFound unless group
|
raise Discourse::NotFound unless group
|
||||||
|
|
||||||
return render_json_error(I18n.t('groups.errors.can_not_modify_automatic')) if group.automatic
|
return render_json_error(I18n.t('groups.errors.can_not_modify_automatic')) if group.automatic
|
||||||
|
guardian.ensure_can_edit!(group)
|
||||||
|
|
||||||
group.add(@user)
|
group.add(@user)
|
||||||
GroupActionLogger.new(current_user, group).log_add_user_to_group(@user)
|
GroupActionLogger.new(current_user, group).log_add_user_to_group(@user)
|
||||||
@ -223,12 +224,14 @@ class Admin::UsersController < Admin::AdminController
|
|||||||
|
|
||||||
def remove_group
|
def remove_group
|
||||||
group = Group.find(params[:group_id].to_i)
|
group = Group.find(params[:group_id].to_i)
|
||||||
|
|
||||||
raise Discourse::NotFound unless group
|
raise Discourse::NotFound unless group
|
||||||
return render_json_error(I18n.t('groups.errors.can_not_modify_automatic')) if group.automatic
|
|
||||||
|
|
||||||
group.remove(@user)
|
return render_json_error(I18n.t('groups.errors.can_not_modify_automatic')) if group.automatic
|
||||||
|
guardian.ensure_can_edit!(group)
|
||||||
|
|
||||||
|
if group.remove(@user)
|
||||||
GroupActionLogger.new(current_user, group).log_remove_user_from_group(@user)
|
GroupActionLogger.new(current_user, group).log_remove_user_from_group(@user)
|
||||||
|
end
|
||||||
|
|
||||||
render body: nil
|
render body: nil
|
||||||
end
|
end
|
||||||
|
|||||||
@ -170,7 +170,7 @@ class GroupsController < ApplicationController
|
|||||||
end
|
end
|
||||||
|
|
||||||
if group.update(params_with_permitted)
|
if group.update(params_with_permitted)
|
||||||
GroupActionLogger.new(current_user, group, skip_guardian: true).log_change_group_settings
|
GroupActionLogger.new(current_user, group).log_change_group_settings
|
||||||
group.record_email_setting_changes!(current_user)
|
group.record_email_setting_changes!(current_user)
|
||||||
group.expire_imap_mailbox_cache
|
group.expire_imap_mailbox_cache
|
||||||
update_existing_users(group.group_users, categories, tags) if categories.present? || tags.present?
|
update_existing_users(group.group_users, categories, tags) if categories.present? || tags.present?
|
||||||
|
|||||||
@ -2,15 +2,12 @@
|
|||||||
|
|
||||||
class GroupActionLogger
|
class GroupActionLogger
|
||||||
|
|
||||||
def initialize(acting_user, group, opts = {})
|
def initialize(acting_user, group)
|
||||||
@acting_user = acting_user
|
@acting_user = acting_user
|
||||||
@group = group
|
@group = group
|
||||||
@opts = opts
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def log_make_user_group_owner(target_user)
|
def log_make_user_group_owner(target_user)
|
||||||
can_edit?
|
|
||||||
|
|
||||||
GroupHistory.create!(default_params.merge(
|
GroupHistory.create!(default_params.merge(
|
||||||
action: GroupHistory.actions[:make_user_group_owner],
|
action: GroupHistory.actions[:make_user_group_owner],
|
||||||
target_user: target_user
|
target_user: target_user
|
||||||
@ -18,8 +15,6 @@ class GroupActionLogger
|
|||||||
end
|
end
|
||||||
|
|
||||||
def log_remove_user_as_group_owner(target_user)
|
def log_remove_user_as_group_owner(target_user)
|
||||||
can_edit?
|
|
||||||
|
|
||||||
GroupHistory.create!(default_params.merge(
|
GroupHistory.create!(default_params.merge(
|
||||||
action: GroupHistory.actions[:remove_user_as_group_owner],
|
action: GroupHistory.actions[:remove_user_as_group_owner],
|
||||||
target_user: target_user
|
target_user: target_user
|
||||||
@ -27,8 +22,6 @@ class GroupActionLogger
|
|||||||
end
|
end
|
||||||
|
|
||||||
def log_add_user_to_group(target_user)
|
def log_add_user_to_group(target_user)
|
||||||
(target_user == @acting_user && @group.public_admission) || can_edit?
|
|
||||||
|
|
||||||
GroupHistory.create!(default_params.merge(
|
GroupHistory.create!(default_params.merge(
|
||||||
action: GroupHistory.actions[:add_user_to_group],
|
action: GroupHistory.actions[:add_user_to_group],
|
||||||
target_user: target_user
|
target_user: target_user
|
||||||
@ -36,8 +29,6 @@ class GroupActionLogger
|
|||||||
end
|
end
|
||||||
|
|
||||||
def log_remove_user_from_group(target_user)
|
def log_remove_user_from_group(target_user)
|
||||||
(target_user == @acting_user && @group.public_exit) || can_edit?
|
|
||||||
|
|
||||||
GroupHistory.create!(default_params.merge(
|
GroupHistory.create!(default_params.merge(
|
||||||
action: GroupHistory.actions[:remove_user_from_group],
|
action: GroupHistory.actions[:remove_user_from_group],
|
||||||
target_user: target_user
|
target_user: target_user
|
||||||
@ -45,8 +36,6 @@ class GroupActionLogger
|
|||||||
end
|
end
|
||||||
|
|
||||||
def log_change_group_settings
|
def log_change_group_settings
|
||||||
@opts[:skip_guardian] || can_edit?
|
|
||||||
|
|
||||||
@group.previous_changes.except(*excluded_attributes).each do |attribute_name, value|
|
@group.previous_changes.except(*excluded_attributes).each do |attribute_name, value|
|
||||||
next if value[0].blank? && value[1].blank?
|
next if value[0].blank? && value[1].blank?
|
||||||
|
|
||||||
@ -73,9 +62,4 @@ class GroupActionLogger
|
|||||||
def default_params
|
def default_params
|
||||||
{ group: @group, acting_user: @acting_user }
|
{ group: @group, acting_user: @acting_user }
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_edit?
|
|
||||||
raise Discourse::InvalidParameters.new unless Guardian.new(@acting_user).can_log_group_changes?(@group)
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|||||||
@ -16,11 +16,8 @@ module GroupGuardian
|
|||||||
# Automatic groups are not represented in the GROUP_USERS
|
# Automatic groups are not represented in the GROUP_USERS
|
||||||
# table and thus do not allow membership changes.
|
# table and thus do not allow membership changes.
|
||||||
def can_edit_group?(group)
|
def can_edit_group?(group)
|
||||||
!group.automatic && can_log_group_changes?(group)
|
!group.automatic &&
|
||||||
end
|
(can_admin_group?(group) || group.users.where('group_users.owner').include?(user))
|
||||||
|
|
||||||
def can_log_group_changes?(group)
|
|
||||||
can_admin_group?(group) || group.users.where('group_users.owner').include?(user)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_admin_group?(group)
|
def can_admin_group?(group)
|
||||||
|
|||||||
@ -53,14 +53,6 @@ RSpec.describe GroupActionLogger do
|
|||||||
context 'as a normal user' do
|
context 'as a normal user' do
|
||||||
subject { described_class.new(user, group) }
|
subject { described_class.new(user, group) }
|
||||||
|
|
||||||
describe 'user cannot freely exit group' do
|
|
||||||
it 'should not be allowed to log the action' do
|
|
||||||
expect { subject.log_add_user_to_group(user) }
|
|
||||||
.to raise_error(Discourse::InvalidParameters)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe 'user can freely exit group' do
|
|
||||||
before do
|
before do
|
||||||
group.update!(public_admission: true)
|
group.update!(public_admission: true)
|
||||||
end
|
end
|
||||||
@ -76,7 +68,6 @@ RSpec.describe GroupActionLogger do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
describe '#log_remove_user_from_group' do
|
describe '#log_remove_user_from_group' do
|
||||||
describe 'as group owner' do
|
describe 'as group owner' do
|
||||||
@ -94,14 +85,6 @@ RSpec.describe GroupActionLogger do
|
|||||||
context 'as a normal user' do
|
context 'as a normal user' do
|
||||||
subject { described_class.new(user, group) }
|
subject { described_class.new(user, group) }
|
||||||
|
|
||||||
describe 'user cannot freely exit group' do
|
|
||||||
it 'should not be allowed to log the action' do
|
|
||||||
expect { subject.log_remove_user_from_group(user) }
|
|
||||||
.to raise_error(Discourse::InvalidParameters)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe 'user can freely exit group' do
|
|
||||||
before do
|
before do
|
||||||
group.update!(public_exit: true)
|
group.update!(public_exit: true)
|
||||||
end
|
end
|
||||||
@ -117,7 +100,6 @@ RSpec.describe GroupActionLogger do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
describe '#log_change_group_settings' do
|
describe '#log_change_group_settings' do
|
||||||
it 'should create the right record' do
|
it 'should create the right record' do
|
||||||
|
|||||||
Reference in New Issue
Block a user