github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 18:22:40 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Don't expose user post counts to users who can't see the topic (#19728)

Browse Source 
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>

Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
This commit is contained in:
Alan Guo Xiang Tan
2023-01-05 06:08:19 +08:00
committed by GitHub
parent c0e2d7bada
commit cbcf8a064b
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
spec/requests/users_controller_spec.rb
View File

@ -4201,6 +4201,15 @@ RSpec.describe UsersController do
expect(topic_post_count[topic.id.to_s]).to eq(1)
end
it "doesn't include the post count when the signed in user doesn't have access" do
c = Fabricate(:category, read_restricted: true)
topic.update(category_id: c.id)
expect(Guardian.new(user1).can_see?(topic)).to eq(false)
get "/u/#{admin.username}.json", params: { include_post_count_for: topic.id }
topic_post_count = response.parsed_body.dig("user", "topic_post_count")
expect(topic_post_count).to eq(nil)
end
it "includes all post types for staff members" do
SiteSetting.whispers_allowed_groups = "#{Group::AUTO_GROUPS[:staff]}"
sign_in(admin)