github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-24 03:36:18 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: unlisted *only* means not listed in topic lists

Browse Source 
Remove security by obscurity feature that tries for exact slug match

If you need to hide a topic from users either move to a secure category
or convert to a PM
This commit is contained in:
Sam
2017-08-22 17:53:45 -04:00
parent 224796a7d4
commit 8dfb1be4d1
2 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
spec/controllers/topics_controller_spec.rb
View File

@ -568,7 +568,14 @@ describe TopicsController do
end
describe 'show unlisted' do
it 'returns 404 unless exact correct URL' do
it 'returns 301 even if slug does not match URL' do
# in the past we had special logic for unlisted topics
# we would require slug unless you made a json call
# this was not really providing any security
#
# we no longer require a topic be visible to perform url correction
# if you need to properly hide a topic for users use a secure category
# or a PM
topic = Fabricate(:topic, visible: false)
Fabricate(:post, topic: topic)
@ -576,10 +583,10 @@ describe TopicsController do
expect(response).to be_success
xhr :get, :show, topic_id: topic.id, slug: "just-guessing"
expect(response.code).to eq("404")
expect(response.code).to eq("301")
xhr :get, :show, id: topic.slug
expect(response.code).to eq("404")
expect(response.code).to eq("301")
end
end