SECURITY: only show user suggestions with regular post (#15436)

2025-06-01 05:53:52 +08:00 · 2022-01-03 13:37:40 +05:30
parent 494033225e
commit 702685b6a0
2 changed files with 7 additions and 1 deletions
--- a/spec/models/user_search_spec.rb
+++ b/spec/models/user_search_spec.rb
@ -114,6 +114,7 @@ describe UserSearch do
    fab!(:post5) { Fabricate :post, user: mr_brown, topic: topic3 }
    fab!(:post6) { Fabricate :post, user: mr_white, topic: topic }
    fab!(:post7) { Fabricate :post, user: staged, topic: topic4 }
+    fab!(:post8) { Fabricate :post, user: mr_brown, topic: topic2, post_type: Post.types[:whisper] }

    before { mr_white.update(suspended_at: 1.day.ago, suspended_till: 1.year.from_now) }

@ -170,6 +171,11 @@ describe UserSearch do
      expect(results).to eq [mr_b, mr_brown, mr_blue].map(&:username)
    end

+    it "does not reveal whisper users" do
+      results = search_for("", topic_id: topic2.id)
+      expect(results).to eq [mr_blue.username]
+    end
+
    it "only reveals topic participants to people with permission" do
      pm_topic = Fabricate(:private_message_post).topic