github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-06 03:06:53 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: do not show private topic title on /unsubscribed page

Browse Source
This commit is contained in:
Arpit Jalan
2018-04-16 10:14:43 +05:30
parent 6cce839f0a
commit a1ef455c78
4 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/email_controller.rb
View File

@ -110,10 +110,11 @@ class EmailController < ApplicationController
def unsubscribed def unsubscribed
@email = params[:email] @email = params[:email]
@topic_id = params[:topic_id]
user = User.find_by_email(params[:email]) user = User.find_by_email(params[:email])
raise Discourse::NotFound unless user raise Discourse::NotFound unless user
@topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id] topic = Topic.find_by(id: params[:topic_id].to_i) if @topic_id
raise Discourse::NotFound unless Guardian.new(user).can_see?(@topic) @topic = topic if topic && Guardian.new(nil).can_see?(topic)
end end
end end

6
app/views/email/unsubscribed.html.erb
View File

@ -7,8 +7,8 @@
</p> </p>
<% if @topic %> <% if @topic %>
<p> <p><%=t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%></p>
<%=t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%> <% elsif @topic_id %>
</p> <p><%=t("unsubscribed.private_topic_description")%></p>
<% end %> <% end %>
</div> </div>

1
config/locales/server.en.yml
View File

@ -798,6 +798,7 @@ en:
title: "Unsubscribed!" title: "Unsubscribed!"
description: "<b>%{email}</b> has been unsubscribed. To change your email settings <a href='%{url}'>visit your user preferences</a>." description: "<b>%{email}</b> has been unsubscribed. To change your email settings <a href='%{url}'>visit your user preferences</a>."
topic_description: "To re-subscribe to %{link}, use the notification control at the bottom or right of the topic." topic_description: "To re-subscribe to %{link}, use the notification control at the bottom or right of the topic."
private_topic_description: "To re-subscribe, use the notification control at the bottom or right of the topic."
unsubscribe: unsubscribe:
title: "Unsubscribe" title: "Unsubscribe"

20
spec/requests/email_controller_spec.rb
View File

@ -1,6 +1,10 @@
require 'rails_helper' require 'rails_helper'
RSpec.describe EmailController do RSpec.describe EmailController do
let(:user) { Fabricate(:user) }
let(:topic) { Fabricate(:topic) }
let(:private_topic) { Fabricate(:private_message_topic) }
describe '#unsubscribed' do describe '#unsubscribed' do
describe 'when email is invalid' do describe 'when email is invalid' do
it 'should return the right response' do it 'should return the right response' do
@ -8,5 +12,21 @@ RSpec.describe EmailController do
expect(response.status).to eq(404) expect(response.status).to eq(404)
end end
end end
describe 'when topic is public' do
it 'should return the right response' do
get '/email/unsubscribed', params: { email: user.email, topic_id: topic.id }
expect(response).to be_success
expect(response.body).to include(topic.title)
end
end
describe 'when topic is private' do
it 'should return the right response' do
get '/email/unsubscribed', params: { email: user.email, topic_id: private_topic.id }
expect(response).to be_success
expect(response.body).to_not include(private_topic.title)
end
end
end end
end end