github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-28 12:02:05 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Moderators cannot see user emails.

Browse Source 
Unless `moderators_view_emails` SiteSetting is enabled, moderators should not be able to discover users’ emails.
This commit is contained in:
Krzysztof Kotlarek
2024-11-13 14:04:20 +11:00
committed by =
parent 023b61ad22
commit 95564a3df2
9 changed files with 112 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
spec/requests/export_csv_controller_spec.rb
View File

@ -97,6 +97,23 @@ RSpec.describe ExportCsvController do
expect(response.status).to eq(422)
end
it "does not allow moderators to export screened_email if they has no permission to view emails" do
SiteSetting.moderators_view_emails = false
post "/export_csv/export_entity.json", params: { entity: "screened_email" }
expect(response.status).to eq(422)
end
it "allows moderator to export screened_email if they has permission to view emails" do
SiteSetting.moderators_view_emails = true
post "/export_csv/export_entity.json", params: { entity: "screened_email" }
expect(response.status).to eq(200)
expect(response.parsed_body["success"]).to eq("OK")
job_data = Jobs::ExportCsvFile.jobs.first["args"].first
expect(job_data["entity"]).to eq("screened_email")
expect(job_data["user_id"]).to eq(moderator.id)
end
it "allows moderator to export other entities" do
post "/export_csv/export_entity.json", params: { entity: "staff_action" }
expect(response.status).to eq(200)