IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Remove indication that a group exists if user can't see it.

Browse Source 
Minor security fix but we should not leak any hints that a group exists
even if a user does not have access to the group.
This commit is contained in:
Guo Xiang Tan
2020-09-08 10:52:29 +08:00
parent 5ed84d9885
commit b0f22f2523
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
spec/requests/groups_controller_spec.rb
View File

@@ -357,7 +357,7 @@ describe GroupsController do
get "/groups/#{group.name}.json"
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end
it "returns the right response" do
@@ -430,7 +430,7 @@ describe GroupsController do
get "/groups/#{group.name}/posts.json"
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end
it "ensures the group members can be seen" do
@@ -473,7 +473,7 @@ describe GroupsController do
get "/groups/#{group.name}/members.json"
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end
it "ensures the group members can be seen" do
@@ -1888,7 +1888,7 @@ describe GroupsController do
get "/groups/#{group.name}/permissions.json"
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end
describe "with varying category permissions" do