From 2ad756464eb1d2fcf04a6494d44d63b3be478531 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Thu, 29 May 2014 21:55:55 +1000
Subject: [PATCH] SECURITY: TopicView not correctly restricting to topic

---
 lib/topic_view.rb                  |  2 +-
 spec/components/topic_view_spec.rb | 34 ++++++++++++++++++++----------
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/lib/topic_view.rb b/lib/topic_view.rb
index 936fe77c0..237c9eafe 100644
--- a/lib/topic_view.rb
+++ b/lib/topic_view.rb
@@ -276,7 +276,7 @@ class TopicView
 
   def filter_posts_by_ids(post_ids)
     # TODO: Sort might be off
-    @posts = Post.where(id: post_ids)
+    @posts = Post.where(id: post_ids, topic_id: @topic.id)
                  .includes(:user)
                  .includes(:reply_to_user)
                  .order('sort_order')
diff --git a/spec/components/topic_view_spec.rb b/spec/components/topic_view_spec.rb
index dc20826c0..5d536973f 100644
--- a/spec/components/topic_view_spec.rb
+++ b/spec/components/topic_view_spec.rb
@@ -221,7 +221,7 @@ describe TopicView do
     let!(:p3) { Fabricate(:post, topic: topic, user: first_poster)}
 
     before do
-      SiteSetting.stubs(:posts_per_page).returns(3)
+      SiteSetting.posts_per_page = 3
 
       # Update them to the sort order we're checking for
       [p1, p2, p3, p4, p5, p6].each_with_index do |p, idx|
@@ -233,21 +233,33 @@ describe TopicView do
     end
 
     describe "contains_gaps?" do
-      it "does not contain contains_gaps with default filtering" do
+      it "works" do
+        # does not contain contains_gaps with default filtering
         topic_view.contains_gaps?.should be_false
-      end
-
-      it "contains contains_gaps when filtered by username" do
+        # contains contains_gaps when filtered by username" do
         TopicView.new(topic.id, coding_horror, username_filters: ['eviltrout']).contains_gaps?.should be_true
-      end
-
-      it "contains contains_gaps when filtered by summary" do
+        # contains contains_gaps when filtered by summary
         TopicView.new(topic.id, coding_horror, filter: 'summary').contains_gaps?.should be_true
-      end
-
-      it "contains contains_gaps when filtered by best" do
+        # contains contains_gaps when filtered by best
         TopicView.new(topic.id, coding_horror, best: 5).contains_gaps?.should be_true
       end
+    end
+
+    it "#restricts to correct topic" do
+      t2 = Fabricate(:topic)
+
+      category = Fabricate(:category, name: "my test")
+      category.set_permissions(Group[:admins] => :full)
+      category.save
+
+      topic.category_id = category.id
+      topic.save!
+
+      expect{
+        TopicView.new(topic.id, coding_horror).posts.count
+      }.to raise_error(Discourse::InvalidAccess)
+
+      TopicView.new(t2.id, coding_horror, post_ids: [p1.id,p2.id]).posts.count.should == 0
 
     end