IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Category group permissions leaked to normal users.

Browse Source 
After this commit, category group permissions can only be seen by users
that are allowed to manage a category. In the past, we inadvertently
included a category's group permissions settings in `CategoriesController#show`
and `CategoriesController#find_by_slug` endpoints for normal users when
those settings are only a concern to users that can manage a category.
This commit is contained in:
Alan Guo Xiang Tan
2022-04-08 11:14:06 +08:00
parent 07d8189edd
commit 0f7b9878ff
9 changed files with 130 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/routes.rb
View File

@@ -722,6 +722,7 @@ Discourse::Application.routes.draw do
get "categories_and_top" => "categories#categories_and_top"
get "c/:id/show" => "categories#show"
get "c/:id/visible_groups" => "categories#visible_groups"
get "c/*category_slug/find_by_slug" => "categories#find_by_slug"
get "c/*category_slug/edit(/:tab)" => "categories#find_by_slug", constraints: { format: 'html' }