IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Mod should not see group_users and second_factor_enabled.

Browse Source 
Moderators should not be able to see `UserSerializer#group_users` and `UserSerializer#second_factor_enabled` of other users.

Impact of leaking this is low because the information leaked is not
exploitable.
This commit is contained in:
Guo Xiang Tan 2020-09-11 10:23:35 +08:00
parent 468417a716
commit 245d29e5a3
No known key found for this signature in database
GPG Key ID: FBD110179AAC1F20
2 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/serializers/user_serializer.rb
View File

@ -83,7 +83,7 @@ class UserSerializer < UserCardSerializer
end end
def include_group_users? def include_group_users?
(object.id && object.id == scope.user.try(:id)) || scope.is_staff? (object.id && object.id == scope.user.try(:id)) || scope.is_admin?
end end
def include_associated_accounts? def include_associated_accounts?
@ -91,7 +91,7 @@ class UserSerializer < UserCardSerializer
end end
def include_second_factor_enabled? def include_second_factor_enabled?
(object&.id == scope.user&.id) || scope.is_staff? (object&.id == scope.user&.id) || scope.is_admin?
end end
def second_factor_enabled def second_factor_enabled

23
spec/serializers/user_serializer_spec.rb
View File

@ -3,20 +3,33 @@
require 'rails_helper' require 'rails_helper'
describe UserSerializer do describe UserSerializer do
fab!(:user) { Fabricate(:user, trust_level: 0) }
context "with a TL0 user seen as anonymous" do context "with a TL0 user seen as anonymous" do
let(:user) { Fabricate.build(:user, trust_level: 0, user_profile: Fabricate.build(:user_profile)) }
let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) } let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) }
let(:json) { serializer.as_json } let(:json) { serializer.as_json }
let(:untrusted_attributes) { %i{bio_raw bio_cooked bio_excerpt location website website_name profile_background card_background} } let(:untrusted_attributes) { %i{bio_raw bio_cooked bio_excerpt location website website_name profile_background card_background} }
it "doesn't serialize untrusted attributes" do it "doesn't serialize untrusted attributes" do
untrusted_attributes.each { |attr| expect(json).not_to have_key(attr) } untrusted_attributes.each { |attr| expect(json).not_to have_key(attr) }
end end
it "doesn't serialize group_users" do it "serializes correctly" do
expect(json[:group_users]).to be_nil expect(json[:group_users]).to eq(nil)
expect(json[:second_factor_enabled]).to eq(nil)
end
end
context "as moderator" do
it "serializes correctly" do
json = UserSerializer.new(
user,
scope: Guardian.new(Fabricate(:moderator)),
root: false
).as_json
expect(json[:group_users]).to eq(nil)
expect(json[:second_factor_enabled]).to eq(nil)
end end
end end
@ -41,8 +54,8 @@ describe UserSerializer do
expect(json[:user_option][:new_topic_duration_minutes]).to eq(60 * 24) expect(json[:user_option][:new_topic_duration_minutes]).to eq(60 * 24)
expect(json[:user_option][:auto_track_topics_after_msecs]).to eq(0) expect(json[:user_option][:auto_track_topics_after_msecs]).to eq(0)
expect(json[:user_option][:notification_level_when_replying]).to eq(3) expect(json[:user_option][:notification_level_when_replying]).to eq(3)
expect(json[:group_users]).to eq([]) expect(json[:group_users]).to eq([])
expect(json[:second_factor_enabled]).to eq(false)
end end
end end