github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 21:01:04 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Remove indication that a group exists if user can't see it.

Browse Source 
Minor security fix but we should not leak any hints that a group exists
even if a user does not have access to the group.
This commit is contained in:
Guo Xiang Tan
2020-09-08 10:52:29 +08:00
parent 5ed84d9885
commit b0f22f2523
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/groups_controller.rb
View File

@ -629,7 +629,7 @@ class GroupsController < ApplicationController
def find_group(param_name, ensure_can_see: true)
name = params.require(param_name)
group = Group.find_by("LOWER(name) = ?", name.downcase)
guardian.ensure_can_see!(group) if ensure_can_see
raise Discourse::NotFound if ensure_can_see && !guardian.can_see_group?(group)
group
end