github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 16:01:20 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Respect topic permissions when loading bookmark metadata

Browse Source 
Co-authored-by: Martin Brennan <martin@discourse.org>
Co-authored-by: Sam Saffron <sam.saffron@gmail.com>
This commit is contained in:
David Taylor
2020-03-23 11:04:39 +00:00
parent 5ff505cea6
commit 5db41cd578
8 changed files with 151 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
spec/lib/bookmark_manager_spec.rb
View File

@ -90,6 +90,24 @@ RSpec.describe BookmarkManager do
expect(subject.errors.full_messages).to include(I18n.t("bookmarks.errors.cannot_set_reminder_in_distant_future"))
end
end
context "when the post is inaccessable for the user" do
before do
post.trash!
end
it "raises an invalid access error" do
expect { subject.create(post_id: post.id, name: name) }.to raise_error(Discourse::InvalidAccess)
end
end
context "when the topic is inaccessable for the user" do
before do
post.topic.update(category: Fabricate(:private_category, group: Fabricate(:group)))
end
it "raises an invalid access error" do
expect { subject.create(post_id: post.id, name: name) }.to raise_error(Discourse::InvalidAccess)
end
end
end
describe ".destroy" do