SECURITY: Ensure user can see group and group members

This commit is contained in:
Bianca Nenciu 2020-03-09 22:04:05 +02:00
parent d8640fd042
commit 61c1af0124
2 changed files with 21 additions and 1 deletions

View File

@ -12,7 +12,12 @@ class DirectoryItemsController < ApplicationController
result = DirectoryItem.where(period_type: period_type).includes(:user) result = DirectoryItem.where(period_type: period_type).includes(:user)
if params[:group] if params[:group]
result = result.includes(user: :groups).where(users: { groups: { name: params[:group] } }) group = Group.find_by(name: params[:group])
raise Discourse::InvalidParameters.new(:group) if group.blank?
guardian.ensure_can_see!(group)
guardian.ensure_can_see_group_members!(group)
result = result.includes(user: :groups).where(users: { groups: { id: group.id } })
else else
result = result.includes(user: :primary_group) result = result.includes(user: :primary_group)
end end

View File

@ -103,5 +103,20 @@ describe DirectoryItemsController do
expect(json['directory_items'][0]['user']['username']).to eq(evil_trout.username) | eq(stage_user.username) expect(json['directory_items'][0]['user']['username']).to eq(evil_trout.username) | eq(stage_user.username)
expect(json['directory_items'][1]['user']['username']).to eq(evil_trout.username) | eq(stage_user.username) expect(json['directory_items'][1]['user']['username']).to eq(evil_trout.username) | eq(stage_user.username)
end end
it "checks group permissions" do
group.update!(visibility_level: Group.visibility_levels[:members])
sign_in(evil_trout)
get '/directory_items.json', params: { period: 'all', group: group.name }
expect(response.status).to eq(200)
get '/directory_items.json', params: { period: 'all', group: 'not a group' }
expect(response.status).to eq(400)
sign_in(user)
get '/directory_items.json', params: { period: 'all', group: group.name }
expect(response.status).to eq(403)
end
end end
end end