github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-01 02:34:28 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Restrict message-bus access on login_required sites

Browse Source
This commit is contained in:
David Taylor
2019-08-13 14:44:22 +01:00
parent 888b635cfc
commit 92f2202e4a
3 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
config/initializers/004-message_bus.rb
View File

@ -45,6 +45,9 @@ def setup_message_bus_env(env)
Discourse.warn_exception(e, message: "Unexpected error in Message Bus")
end
user_id = user && user.id
raise Discourse::InvalidAccess if !user_id && SiteSetting.login_required
is_admin = !!(user && user.admin?)
group_ids = if is_admin
# special rule, admin is allowed access to all groups