IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-25 10:20:58 -06:00
Code Issues Packages Projects Releases Wiki Activity
5ac10e2e79
discourse/app/controllers/user_actions_controller.rb
Andrei Prigorshnev b609f6c11c
FIX: restrict other user's notification routes (#14442) 
It was possible to see notifications of other users using routes:
- notifications/responses
- notifications/likes-received
- notifications/mentions
- notifications/edits

We weren't showing anything private (like notifications about private messages), only things that're publicly available in other places. But anyway, it feels strange that it's possible to look at notifications of someone else. Additionally, there is a risk that we can unintentionally leak something on these pages in the future.

This commit restricts these routes.
2021-09-29 16:24:28 +04:00

55 lines
1.5 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
class UserActionsController < ApplicationController
def index
params.require(:username)
params.permit(:filter, :offset, :acting_username, :limit)
user = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
offset = [0, params[:offset].to_i].max
action_types = (params[:filter] || "").split(",").map(&:to_i)
limit = params.fetch(:limit, 30).to_i
raise Discourse::NotFound unless guardian.can_see_profile?(user)
raise Discourse::NotFound unless guardian.can_see_user_actions?(user, action_types)
opts = {
user_id: user.id,
user: user,
offset: offset,
limit: limit,
action_types: action_types,
guardian: guardian,
ignore_private_messages: params[:filter] ? false : true,
acting_username: params[:acting_username]
}
stream = UserAction.stream(opts).to_a
if stream.empty? && (help_key = params['no_results_help_key'])
if user.id == guardian.user.try(:id)
help_key += ".self"
else
help_key += ".others"
end
render json: {
user_action: [],
no_results_help: I18n.t(help_key)
}
else
render_serialized(stream, UserActionSerializer, root: 'user_actions')
end
end
def show
params.require(:id)
render_serialized(UserAction.stream_item(params[:id], guardian), UserActionSerializer)
end
def private_messages
# DO NOT REMOVE
# TODO should preload messages to avoid extra http req
end
end
Reference in New Issue View Git Blame Copy Permalink