github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-04 20:04:42 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Ensure user can see group and group members

Browse Source
This commit is contained in:
Bianca Nenciu
2020-03-09 22:04:05 +02:00
parent d8640fd042
commit 61c1af0124
2 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/directory_items_controller.rb
View File

@ -12,7 +12,12 @@ class DirectoryItemsController < ApplicationController
result = DirectoryItem.where(period_type: period_type).includes(:user)
if params[:group]
result = result.includes(user: :groups).where(users: { groups: { name: params[:group] } })
group = Group.find_by(name: params[:group])
raise Discourse::InvalidParameters.new(:group) if group.blank?
guardian.ensure_can_see!(group)
guardian.ensure_can_see_group_members!(group)
result = result.includes(user: :groups).where(users: { groups: { id: group.id } })
else
result = result.includes(user: :primary_group)
end