github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-30 07:11:34 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: correct local onebox category checks

Browse Source 
Also removes ugly "source_topic_id" from cooked posts

Patch was authored by @zogstrip

Signed-off-by: Sam <sam.saffron@gmail.com>
This commit is contained in:
Sam
2018-02-14 10:39:44 +11:00
parent 548db91c76
commit f028ffaf29
14 changed files with 251 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
spec/controllers/onebox_controller_spec.rb
View File

@ -14,8 +14,8 @@ describe OneboxController do
before { @user = log_in(:admin) }
it 'invalidates the cache if refresh is passed' do
Oneboxer.expects(:preview).with(url, invalidate_oneboxes: true)
get :show, params: { url: url, refresh: 'true', user_id: @user.id }, format: :json
Oneboxer.expects(:preview).with(url, invalidate_oneboxes: true, user_id: @user.id, category_id: 0)
get :show, params: { url: url, refresh: 'true' }, format: :json
end
describe "cached onebox" do
@ -41,13 +41,13 @@ describe OneboxController do
stub_request(:get, url)
.to_return(status: 200, headers: {}, body: onebox_html).then.to_raise
get :show, params: { url: url, user_id: @user.id, refresh: "true" }, format: :json
get :show, params: { url: url, refresh: "true" }, format: :json
expect(response).to be_success
expect(response.body).to include('Fred')
expect(response.body).to include('bodycontent')
get :show, params: { url: url, user_id: @user.id }, format: :json
get :show, params: { url: url }, format: :json
expect(response).to be_success
expect(response.body).to include('Fred')
expect(response.body).to include('bodycontent')
@ -59,7 +59,7 @@ describe OneboxController do
it "returns 429" do
Oneboxer.expects(:is_previewing?).returns(true)
get :show, params: { url: url, user_id: @user.id }, format: :json
get :show, params: { url: url }, format: :json
expect(response.status).to eq(429)
end
@ -70,8 +70,8 @@ describe OneboxController do
let(:body) { "this is the onebox body" }
before do
Oneboxer.expects(:preview).with(url, invalidate_oneboxes: false).returns(body)
get :show, params: { url: url, user_id: @user.id }, format: :json
Oneboxer.expects(:preview).returns(body)
get :show, params: { url: url }, format: :json
end
it 'returns the onebox response in the body' do
@ -84,19 +84,51 @@ describe OneboxController do
describe "missing onebox" do
it "returns 404 if the onebox is nil" do
Oneboxer.expects(:preview).with(url, invalidate_oneboxes: false).returns(nil)
get :show, params: { url: url, user_id: @user.id }, format: :json
Oneboxer.expects(:preview).returns(nil)
get :show, params: { url: url }, format: :json
expect(response.response_code).to eq(404)
end
it "returns 404 if the onebox is an empty string" do
Oneboxer.expects(:preview).with(url, invalidate_oneboxes: false).returns(" \t ")
get :show, params: { url: url, user_id: @user.id }, format: :json
Oneboxer.expects(:preview).returns(" \t ")
get :show, params: { url: url }, format: :json
expect(response.response_code).to eq(404)
end
end
describe "local onebox" do
it 'does not cache local oneboxes' do
post1 = create_post
url = Discourse.base_url + post1.url
get :show, params: { url: url, category_id: post1.topic.category_id }, format: :json
expect(response.body).to include('blockquote')
post1.trash!
get :show, params: { url: url, category_id: post1.topic.category_id }, format: :json
expect(response.body).not_to include('blockquote')
end
end
end
it 'does not onebox when you have no permission on category' do
log_in
post1 = create_post
url = Discourse.base_url + post1.url
get :show, params: { url: url, category_id: post1.topic.category_id }, format: :json
expect(response.body).to include('blockquote')
post1.topic.category.set_permissions(staff: :full)
post1.topic.category.save
get :show, params: { url: url, category_id: post1.topic.category_id }, format: :json
expect(response.body).not_to include('blockquote')
end
end