IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Prevent access to other user's bookmark lists

Browse Source
This commit is contained in:
Martin Brennan
2020-03-19 10:59:32 +10:00
parent 8ae472bc41
commit 8769ca08bb
4 changed files with 26 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/assets/javascripts/discourse/controllers/user-activity-bookmarks-with-reminders.js
View File

@@ -33,6 +33,9 @@ export default Controller.extend({
this.content.pushObjects(bookmarks); this.content.pushObjects(bookmarks);
} }
}) })
.catch(() => {
this.set("noResultsHelp", I18n.t("bookmarks.list_permission_denied"));
})
.finally(() => .finally(() =>
this.setProperties({ this.setProperties({
loaded: true, loaded: true,
@@ -42,8 +45,8 @@ export default Controller.extend({
}, },
@discourseComputed("loaded", "content.length") @discourseComputed("loaded", "content.length")
noContent(loaded, content) { noContent(loaded, contentLength) {
return loaded && content.length === 0; return loaded && contentLength === 0;
}, },
actions: { actions: {

1
app/controllers/users_controller.rb
View File

@@ -1397,6 +1397,7 @@ class UsersController < ApplicationController
def bookmarks def bookmarks
user = fetch_user_from_params user = fetch_user_from_params
guardian.ensure_can_edit!(user)
respond_to do |format| respond_to do |format|
format.json do format.json do

1
config/locales/client.en.yml
View File

@@ -313,6 +313,7 @@ en:
save: "Save" save: "Save"
no_timezone: 'You have not set a timezone yet. You will not be able to set reminders. Set one up <a href="%{basePath}/my/preferences/profile">in your profile</a>.' no_timezone: 'You have not set a timezone yet. You will not be able to set reminders. Set one up <a href="%{basePath}/my/preferences/profile">in your profile</a>.'
invalid_custom_datetime: "The date and time you provided is invalid, please try again." invalid_custom_datetime: "The date and time you provided is invalid, please try again."
list_permission_denied: "You do not have permission to view this user's bookmarks."
reminders: reminders:
at_desktop: "Next time I'm at my desktop" at_desktop: "Next time I'm at my desktop"
later_today: "Later today <br/>{{date}}" later_today: "Later today <br/>{{date}}"

19
spec/requests/users_controller_spec.rb
View File

@@ -4167,6 +4167,25 @@ describe UsersController do
end end
end end
describe "#bookmarks" do
let!(:bookmark1) { Fabricate(:bookmark, user: user) }
let!(:bookmark2) { Fabricate(:bookmark, user: user) }
let!(:bookmark3) { Fabricate(:bookmark) }
it "returns a list of serialized bookmarks for the user" do
sign_in(user)
get "/u/#{user.username}/bookmarks.json"
expect(response.status).to eq(200)
expect(JSON.parse(response.body)['bookmarks'].map { |b| b['id'] }).to match_array([bookmark1.id, bookmark2.id])
end
it "does not show another user's bookmarks" do
sign_in(user)
get "/u/#{bookmark3.user.username}/bookmarks.json"
expect(response.status).to eq(403)
end
end
def create_second_factor_security_key def create_second_factor_security_key
sign_in(user) sign_in(user)
stub_secure_session_confirmed stub_secure_session_confirmed