github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-08 00:27:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Don't allow loading tagged PMs in another user's inbox.

Browse Source
This commit is contained in:
Gary
2024-12-12 14:13:05 +11:00
committed by Roman Rizzi
parent 3d47a1268c
commit d2de58e760
2 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/list_controller.rb
View File

@ -201,6 +201,7 @@ class ListController < ApplicationController
:private_messages_group_unread :private_messages_group_unread
raise Discourse::NotFound if target_user.id != current_user.id raise Discourse::NotFound if target_user.id != current_user.id
when :private_messages_tag when :private_messages_tag
raise Discourse::NotFound if target_user.id != current_user.id
raise Discourse::NotFound if !guardian.can_tag_pms? raise Discourse::NotFound if !guardian.can_tag_pms?
when :private_messages_warnings when :private_messages_warnings
guardian.ensure_can_see_warnings!(target_user) guardian.ensure_can_see_warnings!(target_user)

10
spec/requests/tags_controller_spec.rb
View File

@ -144,6 +144,16 @@ RSpec.describe TagsController do
expect(serialized_tag["count"]).to eq(0) expect(serialized_tag["count"]).to eq(0)
expect(serialized_tag["pm_count"]).to eq(1) expect(serialized_tag["pm_count"]).to eq(1)
end end
it "doesn't allow users to see other users' PMs" do
non_admin_user = Fabricate(:trust_level_1)
SiteSetting.pm_tags_allowed_for_groups = "1|2|3|11"
sign_in(non_admin_user)
get "/u/#{admin.username}/messages/tags/#{test_tag.name}.json"
expect(response.status).to eq(404)
end
end end
context "when disabled" do context "when disabled" do