SECURITY: Moderators cannot see user emails.

Unless `moderators_view_emails` SiteSetting is enabled, moderators should not be able to discover users’ emails.
2025-06-04 11:11:13 +08:00 · 2024-11-13 14:04:20 +11:00
parent 023b61ad22
commit 95564a3df2
9 changed files with 112 additions and 12 deletions
--- a/spec/requests/admin/screened_emails_controller_spec.rb
+++ b/spec/requests/admin/screened_emails_controller_spec.rb
@ -23,8 +23,11 @@ RSpec.describe Admin::ScreenedEmailsController do
      include_examples "screened emails accessible"
    end

-    context "when logged in as a moderator" do
-      before { sign_in(moderator) }
+    context "when logged in as a moderator and has permission to view emails" do
+      before do
+        sign_in(moderator)
+        SiteSetting.moderators_view_emails = true
+      end

      include_examples "screened emails accessible"
    end
@ -39,6 +42,17 @@ RSpec.describe Admin::ScreenedEmailsController do
        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
      end
    end
+
+    context "when logged in as a moderator but no permission to view emails" do
+      before { sign_in(moderator) }
+
+      it "denies access with a 403 response" do
+        get "/admin/logs/screened_emails.json"
+
+        expect(response.status).to eq(403)
+        expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
+      end
+    end
  end

  describe "#destroy" do
@ -58,8 +72,11 @@ RSpec.describe Admin::ScreenedEmailsController do
      include_examples "screened email deletion possible"
    end

-    context "when logged in as a moderator" do
-      before { sign_in(moderator) }
+    context "when logged in as a moderator and has permission to view emails" do
+      before do
+        sign_in(moderator)
+        SiteSetting.moderators_view_emails = true
+      end

      include_examples "screened email deletion possible"
    end
@ -74,5 +91,16 @@ RSpec.describe Admin::ScreenedEmailsController do
        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
      end
    end
+
+    context "when logged in as a moderator but no permission to view emails" do
+      before { sign_in(moderator) }
+
+      it "prevents deletion with a 403 response" do
+        delete "/admin/logs/screened_emails/#{screened_email.id}.json"
+
+        expect(response.status).to eq(403)
+        expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
+      end
+    end
  end
 end