FEATURE: unlisted *only* means not listed in topic lists

Remove security by obscurity feature that tries for exact slug match If you need to hide a topic from users either move to a secure category or convert to a PM
2024-11-26 02:40:53 -06:00 · 2017-08-22 17:53:45 -04:00 · 2017-08-22 17:53:45 -04:00 · 8dfb1be4d1
commit 8dfb1be4d1
parent 224796a7d4
2 changed files with 12 additions and 9 deletions
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -67,7 +67,7 @@ class TopicsController < ApplicationController
    # up that particular number
    if params[:id] && params[:id] =~ /^\d+[^\d\\]+$/
      topic = Topic.find_by(slug: params[:id].downcase)
-      return redirect_to_correct_topic(topic, opts[:post_number]) if topic && topic.visible
+      return redirect_to_correct_topic(topic, opts[:post_number]) if topic
    end

    if opts[:print]
@ -84,7 +84,7 @@ class TopicsController < ApplicationController
    rescue Discourse::NotFound
      if params[:id]
        topic = Topic.find_by(slug: params[:id].downcase)
-        return redirect_to_correct_topic(topic, opts[:post_number]) if topic && topic.visible
+        return redirect_to_correct_topic(topic, opts[:post_number]) if topic
      end
      raise Discourse::NotFound
    end
@ -96,10 +96,6 @@ class TopicsController < ApplicationController

    discourse_expires_in 1.minute

-    if !@topic_view.topic.visible && @topic_view.topic.slug != params[:slug] && !request.format.json?
-      raise Discourse::NotFound
-    end
-
    if slugs_do_not_match || (!request.format.json? && params[:slug].nil?)
      redirect_to_correct_topic(@topic_view.topic, opts[:post_number])
      return
--- a/spec/controllers/topics_controller_spec.rb
+++ b/spec/controllers/topics_controller_spec.rb
@ -568,7 +568,14 @@ describe TopicsController do
  end

  describe 'show unlisted' do
-    it 'returns 404 unless exact correct URL' do
+    it 'returns 301 even if slug does not match URL' do
+      # in the past we had special logic for unlisted topics
+      # we would require slug unless you made a json call
+      # this was not really providing any security
+      #
+      # we no longer require a topic be visible to perform url correction
+      # if you need to properly hide a topic for users use a secure category
+      # or a PM
      topic = Fabricate(:topic, visible: false)
      Fabricate(:post, topic: topic)

@ -576,10 +583,10 @@ describe TopicsController do
      expect(response).to be_success

      xhr :get, :show, topic_id: topic.id, slug: "just-guessing"
-      expect(response.code).to eq("404")
+      expect(response.code).to eq("301")

      xhr :get, :show, id: topic.slug
-      expect(response.code).to eq("404")
+      expect(response.code).to eq("301")
    end
  end