SECURITY: Respect topic permissions when loading draft metadata

Co-authored-by: Sam Saffron <sam.saffron@gmail.com>
2025-02-25 18:55:32 -06:00 · 2020-03-23 11:02:24 +00:00
parent 3f9b922d20
commit 5ff505cea6
7 changed files with 188 additions and 83 deletions
--- a/app/serializers/draft_serializer.rb
+++ b/app/serializers/draft_serializer.rb
@@ -23,36 +23,68 @@ class DraftSerializer < ApplicationSerializer
             :archetype,
             :archived

+  def cooked
+    object.parsed_data['reply'] || ""
+  end
+
+  def draft_username
+    object.user.username
+  end
+
  def avatar_template
-    User.avatar_template(object.username, object.uploaded_avatar_id)
+    object.user.avatar_template
+  end
+
+  def username
+    object.display_user&.username
+  end
+
+  def username_lower
+    object.display_user&.username_lower
+  end
+
+  def name
+    object.display_user&.name
+  end
+
+  def title
+    object.topic&.title
  end

  def slug
-    Slug.for(object.title)
+    object.topic&.slug
  end

-  def include_slug?
-    object.title.present?
+  def category_id
+    object.topic&.category_id
  end

  def closed
-    object.topic_closed
+    object.topic&.closed
  end

  def archived
-    object.topic_archived
+    object.topic&.archived
+  end
+
+  def archetype
+    object&.topic&.archetype
+  end
+
+  def include_slug?
+    object.topic&.title&.present?
  end

  def include_closed?
-    object.topic_closed.present?
+    object.topic&.closed&.present?
  end

  def include_archived?
-    object.topic_archived.present?
+    object.topic&.archived&.present?
  end

  def include_category_id?
-    object.category_id.present?
+    object.topic&.category_id&.present?
  end

 end