IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: unlisted *only* means not listed in topic lists

Browse Source 
Remove security by obscurity feature that tries for exact slug match

If you need to hide a topic from users either move to a secure category
or convert to a PM
This commit is contained in:
Sam 2017-08-22 17:53:45 -04:00
parent 224796a7d4
commit 8dfb1be4d1
2 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/controllers/topics_controller.rb
View File

@ -67,7 +67,7 @@ class TopicsController < ApplicationController
# up that particular number # up that particular number
if params[:id] && params[:id] =~ /^\d+[^\d\\]+$/ if params[:id] && params[:id] =~ /^\d+[^\d\\]+$/
topic = Topic.find_by(slug: params[:id].downcase) topic = Topic.find_by(slug: params[:id].downcase)
return redirect_to_correct_topic(topic, opts[:post_number]) if topic && topic.visible return redirect_to_correct_topic(topic, opts[:post_number]) if topic
end end
if opts[:print] if opts[:print]
@ -84,7 +84,7 @@ class TopicsController < ApplicationController
rescue Discourse::NotFound rescue Discourse::NotFound
if params[:id] if params[:id]
topic = Topic.find_by(slug: params[:id].downcase) topic = Topic.find_by(slug: params[:id].downcase)
return redirect_to_correct_topic(topic, opts[:post_number]) if topic && topic.visible return redirect_to_correct_topic(topic, opts[:post_number]) if topic
end end
raise Discourse::NotFound raise Discourse::NotFound
end end
@ -96,10 +96,6 @@ class TopicsController < ApplicationController
discourse_expires_in 1.minute discourse_expires_in 1.minute
if !@topic_view.topic.visible && @topic_view.topic.slug != params[:slug] && !request.format.json?
raise Discourse::NotFound
end
if slugs_do_not_match || (!request.format.json? && params[:slug].nil?) if slugs_do_not_match || (!request.format.json? && params[:slug].nil?)
redirect_to_correct_topic(@topic_view.topic, opts[:post_number]) redirect_to_correct_topic(@topic_view.topic, opts[:post_number])
return return

13
spec/controllers/topics_controller_spec.rb
View File

@ -568,7 +568,14 @@ describe TopicsController do
end end
describe 'show unlisted' do describe 'show unlisted' do
it 'returns 404 unless exact correct URL' do it 'returns 301 even if slug does not match URL' do
# in the past we had special logic for unlisted topics
# we would require slug unless you made a json call
# this was not really providing any security
#
# we no longer require a topic be visible to perform url correction
# if you need to properly hide a topic for users use a secure category
# or a PM
topic = Fabricate(:topic, visible: false) topic = Fabricate(:topic, visible: false)
Fabricate(:post, topic: topic) Fabricate(:post, topic: topic)
@ -576,10 +583,10 @@ describe TopicsController do
expect(response).to be_success expect(response).to be_success
xhr :get, :show, topic_id: topic.id, slug: "just-guessing" xhr :get, :show, topic_id: topic.id, slug: "just-guessing"
expect(response.code).to eq("404") expect(response.code).to eq("301")
xhr :get, :show, id: topic.slug xhr :get, :show, id: topic.slug
expect(response.code).to eq("404") expect(response.code).to eq("301")
end end
end end