github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

security issue, anon and logged in users could see the fact that a user sent another user a pm (but could not see the pm itself or title)

Browse Source
This commit is contained in:
Sam Saffron
2013-10-03 16:48:03 -07:00
parent baa2ab8604
commit ad93fc959c
3 changed files with 43 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/models/post_action_type.rb
View File

@ -15,6 +15,10 @@ class PostActionType < ActiveRecord::Base
@auto_action_flag_types ||= flag_types.except(:notify_user, :notify_moderators) @auto_action_flag_types ||= flag_types.except(:notify_user, :notify_moderators)
end end
def public_types
@public_types ||= types.except(*flag_types.keys << :notify_user)
end
def flag_types def flag_types
@flag_types ||= types.only(:off_topic, :spam, :inappropriate, :notify_moderators) @flag_types ||= types.only(:off_topic, :spam, :inappropriate, :notify_moderators)
end end

5
app/serializers/post_serializer.rb
View File

@ -7,6 +7,7 @@ class PostSerializer < BasicPostSerializer
attr_accessor :add_raw attr_accessor :add_raw
attr_accessor :single_post_link_counts attr_accessor :single_post_link_counts
attr_accessor :draft_sequence attr_accessor :draft_sequence
attr_accessor :post_actions
attributes :post_number, attributes :post_number,
:post_type, :post_type,
@ -152,8 +153,8 @@ class PostSerializer < BasicPostSerializer
action_summary[:can_undo] = scope.can_delete?(post_actions[id]) action_summary[:can_undo] = scope.can_delete?(post_actions[id])
end end
# anonymize flags # only show public data
if !scope.is_staff? && PostActionType.flag_types.values.include?(id) unless scope.is_staff? || PostActionType.public_types.values.include?(id)
action_summary[:count] = action_summary[:acted] ? 1 : 0 action_summary[:count] = action_summary[:acted] ? 1 : 0
end end

36
spec/serializers/post_serializer_spec.rb
View File

@ -1,7 +1,43 @@
require 'spec_helper' require 'spec_helper'
require_dependency 'post_action'
describe PostSerializer do describe PostSerializer do
context "a post with lots of actions" do
let(:post){Fabricate(:post)}
let(:actor){Fabricate(:user)}
let(:admin){Fabricate(:admin)}
let(:acted_ids){
PostActionType.public_types.values
.concat([:notify_user,:spam]
.map{|k| PostActionType.types[k]})
}
def visible_actions_for(user)
serializer = PostSerializer.new(post, scope: Guardian.new(user), root: false)
# NOTE this is messy, we should extract all this logic elsewhere
serializer.post_actions = PostAction.counts_for([post], actor)[post.id] if user.try(:id) == actor.id
actions = serializer.as_json[:actions_summary]
lookup = PostActionType.types.invert
actions.keep_if{|a| a[:count] > 0}.map{|a| lookup[a[:id]]}
end
before do
acted_ids.each do|id|
PostAction.act(actor, post, id)
end
post.reload
end
it "displays the correct info" do
visible_actions_for(actor).sort.should == [:like,:notify_user,:spam,:vote]
visible_actions_for(post.user).sort.should == [:like,:vote]
visible_actions_for(nil).sort.should == [:like,:vote]
visible_actions_for(admin).sort.should == [:like,:notify_user,:spam,:vote]
end
end
context "a post by a nuked user" do context "a post by a nuked user" do
let!(:post) { Fabricate(:post, user: Fabricate(:user), deleted_at: Time.zone.now) } let!(:post) { Fabricate(:post, user: Fabricate(:user), deleted_at: Time.zone.now) }