IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: return an error if a user tries to whisper

Browse Source 
This commit fixes a bug where a user creates a whisper post via the api
but is posted as a regular message because they don't have access to
whisper. Now a 403 unauthorized will be returned instead of the whisper
param just being ignored for regular users. Staff users should not be
affected by this change.

https://meta.discourse.org/t/a-whisper-is-posted-as-a-message-if-the-user-is-not-staff-moderator-admin-when-using-the-api/116601
This commit is contained in:
Blake Erickson 2019-05-07 11:34:15 -06:00
parent 1f40258d5c
commit 5b5b5a5931
4 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/posts_controller.rb
View File

@ -730,7 +730,9 @@ class PostsController < ApplicationController
result[:shared_draft] = true result[:shared_draft] = true
end end
if current_user.staff? && SiteSetting.enable_whispers? && params[:whisper] == "true" if params[:whisper] == "true"
raise Discourse::InvalidAccess.new("invalid_whisper_access", nil, custom_message: "invalid_whisper_access") unless guardian.can_create_whisper?
result[:post_type] = Post.types[:whisper] result[:post_type] = Post.types[:whisper]
end end

1
config/locales/server.en.yml
View File

@ -243,6 +243,7 @@ en:
read_only_mode_enabled: "The site is in read only mode. Interactions are disabled." read_only_mode_enabled: "The site is in read only mode. Interactions are disabled."
invalid_grant_badge_reason_link: "External or invalid discourse link is not allowed in badge reason" invalid_grant_badge_reason_link: "External or invalid discourse link is not allowed in badge reason"
email_template_cant_be_modified: "This email template can't be modified" email_template_cant_be_modified: "This email template can't be modified"
invalid_whisper_access: "Either whispers are not enabled or you do not have access to create whisper posts"
reading_time: "Reading time" reading_time: "Reading time"
likes: "Likes" likes: "Likes"

4
lib/guardian/topic_guardian.rb
View File

@ -24,6 +24,10 @@ module TopicGuardian
is_staff? && SiteSetting.shared_drafts_enabled? is_staff? && SiteSetting.shared_drafts_enabled?
end end
def can_create_whisper?
is_staff? && SiteSetting.enable_whispers?
end
def can_publish_topic?(topic, category) def can_publish_topic?(topic, category)
is_staff? && can_see?(topic) && can_create_topic?(category) is_staff? && can_see?(topic) && can_create_topic?(category)
end end

17
spec/requests/posts_controller_spec.rb
View File

@ -696,6 +696,7 @@ describe PostsController do
before do before do
SiteSetting.min_first_post_typing_time = 0 SiteSetting.min_first_post_typing_time = 0
SiteSetting.enable_whispers = true
end end
fab!(:user) { Fabricate(:user) } fab!(:user) { Fabricate(:user) }
@ -774,6 +775,22 @@ describe PostsController do
expect(response.status).to eq(200) expect(response.status).to eq(200)
expect(post_1.topic.user.notifications.count).to eq(1) expect(post_1.topic.user.notifications.count).to eq(1)
end end
it 'prevents whispers for regular users' do
post_1 = Fabricate(:post)
user = Fabricate(:user)
user_key = ApiKey.create!(user: user, key: SecureRandom.hex).key
post "/posts.json", params: {
api_username: user.username,
api_key: user_key,
raw: 'this is test whisper',
topic_id: post_1.topic.id,
reply_to_post_number: 1,
whisper: true
}
expect(response.status).to eq(403)
end
end end
describe "when logged in" do describe "when logged in" do