SECURITY: do not show private topic title on /unsubscribed page

2025-02-25 18:55:32 -06:00 · 2018-04-16 10:14:43 +05:30
parent 6cce839f0a
commit a1ef455c78
4 changed files with 27 additions and 5 deletions
--- a/app/controllers/email_controller.rb
+++ b/app/controllers/email_controller.rb
@@ -110,10 +110,11 @@ class EmailController < ApplicationController

  def unsubscribed
    @email = params[:email]
+    @topic_id = params[:topic_id]
    user = User.find_by_email(params[:email])
    raise Discourse::NotFound unless user
-    @topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
-    raise Discourse::NotFound unless Guardian.new(user).can_see?(@topic)
+    topic = Topic.find_by(id: params[:topic_id].to_i) if @topic_id
+    @topic = topic if topic && Guardian.new(nil).can_see?(topic)
  end

 end
--- a/app/views/email/unsubscribed.html.erb
+++ b/app/views/email/unsubscribed.html.erb
@@ -7,8 +7,8 @@
  </p>

  <% if @topic %>
-  <p>
-    <%=t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%>
-  </p>
+    <p><%=t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%></p>
+  <% elsif @topic_id %>
+    <p><%=t("unsubscribed.private_topic_description")%></p>
  <% end %>
 </div>