IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Do not reveal post whisperer in personal messages.

Browse Source 
Prior to this fix, post whisperer in personal messages are revealed in
the topic's participants list even though non-staff users are unable to
see the whisper.
This commit is contained in:
Alan Guo Xiang Tan
2021-07-23 11:35:01 +08:00
parent 9165f0a0f8
commit 303e9e42b6
2 changed files with 33 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
lib/post_creator.rb
View File

@@ -458,14 +458,18 @@ class PostCreator
def ensure_in_allowed_users
return unless @topic.private_message? && @topic.id
return if @post.whisper?
return if @topic.topic_allowed_users.exists?(user_id: @user.id)
unless @topic.topic_allowed_users.where(user_id: @user.id).exists?
unless @topic.topic_allowed_groups.where('group_id IN (
SELECT group_id FROM group_users where user_id = ?
)', @user.id).exists?
@topic.topic_allowed_users.create!(user_id: @user.id)
end
end
return if @topic
.topic_allowed_groups
.where(
"group_id IN (SELECT group_id FROM group_users where user_id = ?)",
@user.id
)
.exists?
@topic.topic_allowed_users.create!(user_id: @user.id)
end
def unarchive_message