mirror of
https://github.com/discourse/discourse.git
synced 2024-11-30 12:43:54 -06:00
5a2ad7e386
We shouldn't be checking if a user is allowed to do an action in the logger. We should be checking it just before we perform the action. In fact, guardians in the logger can make things even worse in case of a security bug. Let's say we forgot to check user's permissions before performing some action, but we still have a call to the guardian in the logger. In this case, a user would perform the action anyway, and this action wouldn't even be logged! I've checked all cases and I confirm that we're safe to delete this calls from the logger. I've added two calls to guardians in admin/user_controller. We didn't have security bugs there, because regular users can't access admin/... routes at all. But it's good to have calls to guardian in these methods anyway, neighboring methods have them.
66 lines
1.5 KiB
Ruby
66 lines
1.5 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class GroupActionLogger
|
|
|
|
def initialize(acting_user, group)
|
|
@acting_user = acting_user
|
|
@group = group
|
|
end
|
|
|
|
def log_make_user_group_owner(target_user)
|
|
GroupHistory.create!(default_params.merge(
|
|
action: GroupHistory.actions[:make_user_group_owner],
|
|
target_user: target_user
|
|
))
|
|
end
|
|
|
|
def log_remove_user_as_group_owner(target_user)
|
|
GroupHistory.create!(default_params.merge(
|
|
action: GroupHistory.actions[:remove_user_as_group_owner],
|
|
target_user: target_user
|
|
))
|
|
end
|
|
|
|
def log_add_user_to_group(target_user)
|
|
GroupHistory.create!(default_params.merge(
|
|
action: GroupHistory.actions[:add_user_to_group],
|
|
target_user: target_user
|
|
))
|
|
end
|
|
|
|
def log_remove_user_from_group(target_user)
|
|
GroupHistory.create!(default_params.merge(
|
|
action: GroupHistory.actions[:remove_user_from_group],
|
|
target_user: target_user
|
|
))
|
|
end
|
|
|
|
def log_change_group_settings
|
|
@group.previous_changes.except(*excluded_attributes).each do |attribute_name, value|
|
|
next if value[0].blank? && value[1].blank?
|
|
|
|
GroupHistory.create!(default_params.merge(
|
|
action: GroupHistory.actions[:change_group_setting],
|
|
subject: attribute_name,
|
|
prev_value: value[0],
|
|
new_value: value[1]
|
|
))
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def excluded_attributes
|
|
[
|
|
:bio_cooked,
|
|
:updated_at,
|
|
:created_at,
|
|
:user_count
|
|
]
|
|
end
|
|
|
|
def default_params
|
|
{ group: @group, acting_user: @acting_user }
|
|
end
|
|
end
|