github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-01 09:08:10 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: do not show private topic title on /unsubscribed page

Browse Source
This commit is contained in:
Arpit Jalan
2018-04-16 10:14:43 +05:30
parent 6cce839f0a
commit a1ef455c78
4 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
spec/requests/email_controller_spec.rb
View File

@ -1,6 +1,10 @@
require 'rails_helper'
RSpec.describe EmailController do
let(:user) { Fabricate(:user) }
let(:topic) { Fabricate(:topic) }
let(:private_topic) { Fabricate(:private_message_topic) }
describe '#unsubscribed' do
describe 'when email is invalid' do
it 'should return the right response' do
@ -8,5 +12,21 @@ RSpec.describe EmailController do
expect(response.status).to eq(404)
end
end
describe 'when topic is public' do
it 'should return the right response' do
get '/email/unsubscribed', params: { email: user.email, topic_id: topic.id }
expect(response).to be_success
expect(response.body).to include(topic.title)
end
end
describe 'when topic is private' do
it 'should return the right response' do
get '/email/unsubscribed', params: { email: user.email, topic_id: private_topic.id }
expect(response).to be_success
expect(response.body).to_not include(private_topic.title)
end
end
end
end