IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: User's read state for topic is leaked to unauthorized clients.

Browse Source 
A user's read state for a topic such as the last read post number and the notification level is exposed.
This commit is contained in:
Alan Guo Xiang Tan
2021-08-11 11:01:13 +08:00
parent 9a60c83535
commit aed65ec16d
3 changed files with 62 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
spec/models/topic_tracking_state_spec.rb
View File

@@ -48,11 +48,54 @@ describe TopicTrackingState do
data = message.data
expect(message.user_ids).to contain_exactly(post.user.id)
expect(message.group_ids).to eq(nil)
expect(data["topic_id"]).to eq(topic.id)
expect(data["message_type"]).to eq(described_class::UNREAD_MESSAGE_TYPE)
expect(data["payload"]["archetype"]).to eq(Archetype.default)
end
it "does not publish whisper post to non-staff users" do
post.update!(post_type: Post.types[:whisper])
messages = MessageBus.track_publish(described_class.unread_channel_key(post.user_id)) do
TopicTrackingState.publish_unread(post)
end
expect(messages).to eq([])
post.user.grant_admin!
message = MessageBus.track_publish(described_class.unread_channel_key(post.user_id)) do
TopicTrackingState.publish_unread(post)
end.first
expect(message.user_ids).to contain_exactly(post.user_id)
expect(message.group_ids).to eq(nil)
end
it "correctly publishes unread for a post in a restricted category" do
group = Fabricate(:group)
category = Fabricate(:private_category, group: group)
post.topic.update!(category: category)
messages = MessageBus.track_publish(described_class.unread_channel_key(post.user_id)) do
TopicTrackingState.publish_unread(post)
end
expect(messages).to eq([])
group.add(post.user)
message = MessageBus.track_publish(described_class.unread_channel_key(post.user_id)) do
TopicTrackingState.publish_unread(post)
end.first
expect(message.user_ids).to contain_exactly(post.user_id)
expect(message.group_ids).to eq(nil)
end
describe 'for a private message' do
before do
TopicUser.change(