github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-31 21:55:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Prevent access to other user's bookmark lists

Browse Source
This commit is contained in:
Martin Brennan
2020-03-19 10:59:32 +10:00
parent 8ae472bc41
commit 8769ca08bb
4 changed files with 26 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
spec/requests/users_controller_spec.rb
View File

@ -4167,6 +4167,25 @@ describe UsersController do
end
end
describe "#bookmarks" do
let!(:bookmark1) { Fabricate(:bookmark, user: user) }
let!(:bookmark2) { Fabricate(:bookmark, user: user) }
let!(:bookmark3) { Fabricate(:bookmark) }
it "returns a list of serialized bookmarks for the user" do
sign_in(user)
get "/u/#{user.username}/bookmarks.json"
expect(response.status).to eq(200)
expect(JSON.parse(response.body)['bookmarks'].map { |b| b['id'] }).to match_array([bookmark1.id, bookmark2.id])
end
it "does not show another user's bookmarks" do
sign_in(user)
get "/u/#{bookmark3.user.username}/bookmarks.json"
expect(response.status).to eq(403)
end
end
def create_second_factor_security_key
sign_in(user)
stub_secure_session_confirmed