SECURITY: TopicView not correctly restricting to topic

This commit is contained in:
Sam 2014-05-29 21:55:55 +10:00
parent cc473f1c5d
commit 2ad756464e
2 changed files with 24 additions and 12 deletions

View file

@ -276,7 +276,7 @@ class TopicView
def filter_posts_by_ids(post_ids)
# TODO: Sort might be off
@posts = Post.where(id: post_ids)
@posts = Post.where(id: post_ids, topic_id: @topic.id)
.includes(:user)
.includes(:reply_to_user)
.order('sort_order')

View file

@ -221,7 +221,7 @@ describe TopicView do
let!(:p3) { Fabricate(:post, topic: topic, user: first_poster)}
before do
SiteSetting.stubs(:posts_per_page).returns(3)
SiteSetting.posts_per_page = 3
# Update them to the sort order we're checking for
[p1, p2, p3, p4, p5, p6].each_with_index do |p, idx|
@ -233,21 +233,33 @@ describe TopicView do
end
describe "contains_gaps?" do
it "does not contain contains_gaps with default filtering" do
it "works" do
# does not contain contains_gaps with default filtering
topic_view.contains_gaps?.should be_false
end
it "contains contains_gaps when filtered by username" do
# contains contains_gaps when filtered by username" do
TopicView.new(topic.id, coding_horror, username_filters: ['eviltrout']).contains_gaps?.should be_true
end
it "contains contains_gaps when filtered by summary" do
# contains contains_gaps when filtered by summary
TopicView.new(topic.id, coding_horror, filter: 'summary').contains_gaps?.should be_true
end
it "contains contains_gaps when filtered by best" do
# contains contains_gaps when filtered by best
TopicView.new(topic.id, coding_horror, best: 5).contains_gaps?.should be_true
end
end
it "#restricts to correct topic" do
t2 = Fabricate(:topic)
category = Fabricate(:category, name: "my test")
category.set_permissions(Group[:admins] => :full)
category.save
topic.category_id = category.id
topic.save!
expect{
TopicView.new(topic.id, coding_horror).posts.count
}.to raise_error(Discourse::InvalidAccess)
TopicView.new(t2.id, coding_horror, post_ids: [p1.id,p2.id]).posts.count.should == 0
end