mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 03:10:46 -06:00
SECURITY: Ensure user can see group and group members
This commit is contained in:
parent
d8640fd042
commit
61c1af0124
@ -12,7 +12,12 @@ class DirectoryItemsController < ApplicationController
|
||||
result = DirectoryItem.where(period_type: period_type).includes(:user)
|
||||
|
||||
if params[:group]
|
||||
result = result.includes(user: :groups).where(users: { groups: { name: params[:group] } })
|
||||
group = Group.find_by(name: params[:group])
|
||||
raise Discourse::InvalidParameters.new(:group) if group.blank?
|
||||
guardian.ensure_can_see!(group)
|
||||
guardian.ensure_can_see_group_members!(group)
|
||||
|
||||
result = result.includes(user: :groups).where(users: { groups: { id: group.id } })
|
||||
else
|
||||
result = result.includes(user: :primary_group)
|
||||
end
|
||||
|
@ -103,5 +103,20 @@ describe DirectoryItemsController do
|
||||
expect(json['directory_items'][0]['user']['username']).to eq(evil_trout.username) | eq(stage_user.username)
|
||||
expect(json['directory_items'][1]['user']['username']).to eq(evil_trout.username) | eq(stage_user.username)
|
||||
end
|
||||
|
||||
it "checks group permissions" do
|
||||
group.update!(visibility_level: Group.visibility_levels[:members])
|
||||
|
||||
sign_in(evil_trout)
|
||||
get '/directory_items.json', params: { period: 'all', group: group.name }
|
||||
expect(response.status).to eq(200)
|
||||
|
||||
get '/directory_items.json', params: { period: 'all', group: 'not a group' }
|
||||
expect(response.status).to eq(400)
|
||||
|
||||
sign_in(user)
|
||||
get '/directory_items.json', params: { period: 'all', group: group.name }
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user