github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-02 04:08:41 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Don't allow moderators to list PMs of all groups.

Browse Source 
* Also return 404 when a user is trying to list PMs of a group that
cannot be accessed by the user.
This commit is contained in:
Guo Xiang Tan
2020-09-08 10:31:28 +08:00
parent 0d3239bf21
commit 5ed84d9885
4 changed files with 54 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
app/controllers/list_controller.rb
View File

@ -145,22 +145,37 @@ class ListController < ApplicationController
end
def self.generate_message_route(action)
define_method("#{action}") do
if action == :private_messages_tag && !guardian.can_tag_pms?
raise Discourse::NotFound
case action
when :private_messages_tag
define_method("#{action}") do
raise Discourse::NotFound if !guardian.can_tag_pms?
message_route(action)
end
when :private_messages_group, :private_messages_group_archive
define_method("#{action}") do
group = Group.find_by(name: params[:group_name])
raise Discourse::NotFound unless guardian.can_see_group_messages?(group)
list_opts = build_topic_list_options
target_user = fetch_user_from_params({ include_inactive: current_user.try(:staff?) }, [:user_stat, :user_option])
guardian.ensure_can_see_private_messages!(target_user.id)
list = generate_list_for(action.to_s, target_user, list_opts)
url_prefix = "topics"
list.more_topics_url = construct_url_with(:next, list_opts, url_prefix)
list.prev_topics_url = construct_url_with(:prev, list_opts, url_prefix)
respond_with_list(list)
message_route(action)
end
else
define_method("#{action}") do
message_route(action)
end
end
end
def message_route(action)
target_user = fetch_user_from_params({ include_inactive: current_user.try(:staff?) }, [:user_stat, :user_option])
guardian.ensure_can_see_private_messages!(target_user.id)
list_opts = build_topic_list_options
list = generate_list_for(action.to_s, target_user, list_opts)
url_prefix = "topics"
list.more_topics_url = construct_url_with(:next, list_opts, url_prefix)
list.prev_topics_url = construct_url_with(:prev, list_opts, url_prefix)
respond_with_list(list)
end
%i{
private_messages
private_messages_sent