SECURITY: only add elided part of email in PM

2024-11-27 09:36:19 -05:00 · 2016-03-17 23:10:46 +01:00 · 2016-03-17 23:10:46 +01:00 · 03a1aa0000
commit 03a1aa0000
parent 1b4e0f3300
2 changed files with 19 additions and 9 deletions
--- a/lib/email/receiver.rb
+++ b/lib/email/receiver.rb
@ -55,16 +55,9 @@ module Email
      user = find_or_create_user(@from_email, @from_display_name)
      @incoming_email.update_columns(user_id: user.id)

-      body, elided = select_body
+      body, @elided = select_body
      body ||= ""

-      if elided.present?
-        body << "\n\n" << "<details class='elided'>" << "\n"
-        body << "<summary title='#{I18n.t('emails.incoming.show_trimmed_content')}'>&#183;&#183;&#183;</summary>" << "\n"
-        body << elided << "\n"
-        body << "</details>" << "\n"
-      end
-
      raise AutoGeneratedEmailError if is_auto_generated?
      raise NoBodyDetectedError     if body.blank? && !@mail.has_attachments?
      raise InactiveUserError       if !user.active && !user.staged
@ -358,6 +351,14 @@ module Email
      # ensure posts aren't created in the future
      options[:created_at] = [@mail.date, DateTime.now].min

+      # only add elided part in messages
+      if @elided.present? && options[:topic].try(:private_message?)
+        options[:raw] << "\n\n" << "<details class='elided'>" << "\n"
+        options[:raw] << "<summary title='#{I18n.t('emails.incoming.show_trimmed_content')}'>&#183;&#183;&#183;</summary>" << "\n"
+        options[:raw] << @elided << "\n"
+        options[:raw] << "</details>" << "\n"
+      end
+
      manager = NewPostManager.new(options[:user], options)
      result = manager.perform

--- a/spec/components/email/receiver_spec.rb
+++ b/spec/components/email/receiver_spec.rb
@ -119,7 +119,7 @@ describe Email::Receiver do

    it "removes the 'on <date>, <contact> wrote' quoting line" do
      expect { process(:on_date_contact_wrote) }.to change { topic.posts.count }
-      expect(topic.posts.last.raw).to eq("This is the actual reply.\n\n<details class='elided'>\n<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>\nOn Tue, Jan 14, 2016 at 0:42 AM, Bar Foo <wat@discourse.org> wrote:\n\n> This is the previous email.\n> And it had\n>\n> a lot\n>\n>\n> of lines ;)\n</details>")
+      expect(topic.posts.last.raw).to eq("This is the actual reply.")
    end

    it "removes the 'Previous Replies' marker" do
@ -193,6 +193,15 @@ describe Email::Receiver do
    end

    it "strips 'original message' context" do
+      expect { process(:original_message) }.to change { topic.posts.count }
+      expect(topic.posts.last.raw).to eq("This is a reply :)")
+    end
+
+    it "add the 'elided' part of the original message only for private messages" do
+      topic.update_columns(category_id: nil, archetype: Archetype.private_message)
+      topic.allowed_users << user
+      topic.save
+
      expect { process(:original_message) }.to change { topic.posts.count }
      expect(topic.posts.last.raw).to eq("This is a reply :)\n\n<details class='elided'>\n<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>\n---Original Message---\nThis part should not be included\n</details>")
    end