github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-30 15:28:37 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Prevent unauthorized access to grouped poll results

Browse Source 
This adds access controls for the `/polls/grouped_poll_results`
endpoint, such that only users with appropriate permissions can read
the grouped results of a given poll.
This commit is contained in:
Kelvin Tan
2023-10-01 23:10:35 +08:00
committed by Penar Musaraj
parent 4cb7472376
commit ee084b754e
2 changed files with 127 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
plugins/poll/lib/poll.rb
View File

@ -198,11 +198,19 @@ class DiscoursePoll::Poll
def self.grouped_poll_results(user, post_id, poll_name, user_field_name)
raise Discourse::InvalidParameters.new(:post_id) if !Post.where(id: post_id).exists?
poll =
Poll.includes(:poll_options).includes(:poll_votes).find_by(post_id: post_id, name: poll_name)
Poll.includes(:poll_options, :poll_votes, post: :topic).find_by(
post_id: post_id,
name: poll_name,
)
raise Discourse::InvalidParameters.new(:poll_name) unless poll
# user must be allowed to post in topic
guardian = Guardian.new(user)
if !guardian.can_create_post?(poll.post.topic)
raise DiscoursePoll::Error.new I18n.t("poll.user_cant_post_in_topic")
end
unless SiteSetting.poll_groupable_user_fields.split("|").include?(user_field_name)
raise Discourse::InvalidParameters.new(:user_field_name)
end